Edit tour

Windows Analysis Report
f_000112

Overview

General Information

Sample name:	f_000112
Analysis ID:	1496614
MD5:	84c82835a5d21bbcf75a61706d8ab549
SHA1:	5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256:	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Infos:

Detection

Conti, Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Conti ransomware

Yara detected Wannacry ransomware

AI detected suspicious sample

Command shell drops VBS files

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Creates files in the recycle bin to hide itself

Deletes shadow drive data (may be related to ransomware)

Drops PE files to the document folder of the user

Found Tor onion address

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Query firmware table information (likely to detect VMs)

Uses cmd line tools excessively to alter registry or file data

Writes many files with high entropy

Abnormal high CPU Usage

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64_ra

f_000112.exe (PID: 6872 cmdline: "C:\Users\user\Desktop\f_000112.exe" MD5: 84C82835A5D21BBCF75A61706D8AB549)

attrib.exe (PID: 6932 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 6940 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskdl.exe (PID: 7056 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7080 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

cmd.exe (PID: 7104 cmdline: C:\Windows\system32\cmd.exe /c 234691724246428.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 6292 cmdline: cscript.exe //nologo m.vbs MD5: CB601B41D4C8074BE8A84AED564A94DC)

taskdl.exe (PID: 6204 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1732 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6372 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2888 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6404 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6444 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6416 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6552 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6560 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6520 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6516 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6592 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6596 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5464 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4780 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2712 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 932 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6064 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2312 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1736 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5564 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1996 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4396 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4320 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1552 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3968 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4992 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6696 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2460 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5936 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6692 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

svchost.exe (PID: 6756 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

taskdl.exe (PID: 6928 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7032 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7116 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7112 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

MoUsoCoreWorker.exe (PID: 4684 cmdline: C:\Windows\System32\mousocoreworker.exe -Embedding MD5: 0FBA74C118D80D061FFCE102CCC0DF5E)

taskdl.exe (PID: 3808 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7136 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6484 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

SIHClient.exe (PID: 6636 cmdline: C:\Windows\System32\sihclient.exe /cv sLtwoH0bEUKG+NxKNhh+6w.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)

taskdl.exe (PID: 548 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 432 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5292 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5916 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2080 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1860 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4048 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3496 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1540 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3728 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6696 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2460 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6700 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4264 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4776 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6972 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7000 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7092 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1468 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6160 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7112 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1036 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6404 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6536 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2536 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4732 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6484 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5924 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1828 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1764 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5292 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4592 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 424 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2080 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4248 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3284 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6336 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1372 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1996 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1608 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2276 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3728 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4184 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2460 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6700 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 444 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6944 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6972 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7000 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1284 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6232 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6196 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5952 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2336 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6436 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6528 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3544 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6908 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5000 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6508 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2924 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1228 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3012 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2548 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1360 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2868 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4592 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4308 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3588 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2532 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3312 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3996 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1552 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6096 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1832 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5228 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1316 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

dllhost.exe (PID: 1476 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

taskdl.exe (PID: 6380 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 364 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2460 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 828 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6928 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7096 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7100 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 636 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1468 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6272 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6092 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2888 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6192 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1172 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

f_000112.exe (PID: 4008 cmdline: "C:\Users\user\Desktop\f_000112.exe" MD5: 84C82835A5D21BBCF75A61706D8AB549)

attrib.exe (PID: 1956 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 1948 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskdl.exe (PID: 5928 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4080 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1640 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1884 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2352 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1788 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2604 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3068 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5612 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3368 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3636 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3544 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3476 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6920 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3568 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5000 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6632 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6360 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2412 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4152 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4372 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4336 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1228 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2740 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2216 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3488 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5292 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5916 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3548 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4864 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1860 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3588 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4980 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5088 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5144 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4124 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4572 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4820 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2544 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3964 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4416 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4984 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5844 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4944 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1988 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3496 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1060 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1084 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6792 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4132 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Conti, Conti Lock	Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.	No Attribution	http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/ https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74 https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/	https://malpedia.caad.fkie.fraunhofer.de/details/win.conti

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
f_000112	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
f_000112	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
f_000112	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
f_000112	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Dropped Files

Source	Rule	Description	Author	Strings
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
Click to see the 33 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1182915261.000000000040E000.00000008.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000097.00000002.1486778003.000000000040F000.00000004.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: f_000112.exe PID: 6872	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
Process Memory Space: f_000112.exe PID: 6872	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.f_000112.exe.957150.0.unpack	WanaCry	WanaCry Payload	kevoreilly	0xd5c4:$exename: @WanaDecryptor@.exe 0xd60c:$exename: @WanaDecryptor@.exe 0xd8c0:$res: %08X.res 0xd8b4:$pky: %08X.pky 0xd8a8:$eky: %08X.eky 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
151.2.f_000112.exe.10000000.1.unpack	WanaCry	WanaCry Payload	kevoreilly	0xd5c4:$exename: @WanaDecryptor@.exe 0xd60c:$exename: @WanaDecryptor@.exe 0xd8c0:$res: %08X.res 0xd8b4:$pky: %08X.pky 0xd8a8:$eky: %08X.eky 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
151.2.f_000112.exe.ac6d78.0.raw.unpack	WanaCry	WanaCry Payload	kevoreilly	0xd5c4:$exename: @WanaDecryptor@.exe 0xd60c:$exename: @WanaDecryptor@.exe 0xd8c0:$res: %08X.res 0xd8b4:$pky: %08X.pky 0xd8a8:$eky: %08X.eky 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
151.2.f_000112.exe.ac6d78.0.unpack	WanaCry	WanaCry Payload	kevoreilly	0xd5c4:$exename: @WanaDecryptor@.exe 0xd60c:$exename: @WanaDecryptor@.exe 0xd8c0:$res: %08X.res 0xd8b4:$pky: %08X.pky 0xd8a8:$eky: %08X.eky 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
0.2.f_000112.exe.957150.0.raw.unpack	WanaCry	WanaCry Payload	kevoreilly	0xd5c4:$exename: @WanaDecryptor@.exe 0xd60c:$exename: @WanaDecryptor@.exe 0xd8c0:$res: %08X.res 0xd8b4:$pky: %08X.pky 0xd8a8:$eky: %08X.eky 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
0.0.f_000112.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.f_000112.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.f_000112.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.f_000112.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\f_000112.exe, ProcessId: 6872, TargetFilename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SDF366.tmp

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\f_000112.exe", ParentImage: C:\Users\user\Desktop\f_000112.exe, ParentProcessId: 6872, ParentProcessName: f_000112.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6756, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript.exe //nologo m.vbs, CommandLine: cscript.exe //nologo m.vbs, CommandLine|base64offset|contains: (, Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c 234691724246428.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7104, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe //nologo m.vbs, ProcessId: 6292, ProcessName: cscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\f_000112.exe", ParentImage: C:\Users\user\Desktop\f_000112.exe, ParentProcessId: 6872, ParentProcessName: f_000112.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6756, ProcessName: svchost.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Malspam - Source IP: 192.168.2.16 - Destination IP: 163.172.13.165

Timestamp:	2024-08-21T15:19:28.901966+0200
SID:	2028377
Severity:	3
Source Port:	59310
Destination Port:	9001
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - Possible Malware - Malspam - Source IP: 192.168.2.16 - Destination IP: 81.7.10.93

Timestamp:	2024-08-21T15:19:28.901966+0200
SID:	2028377
Severity:	3
Source Port:	59312
Destination Port:	31337
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - Possible Malware - Malspam - Source IP: 192.168.2.16 - Destination IP: 185.100.84.212

Timestamp:	2024-08-21T15:19:28.901966+0200
SID:	2028377
Severity:	3
Source Port:	59313
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - Possible Malware - Malspam - Source IP: 192.168.2.16 - Destination IP: 128.31.0.39

Timestamp:	2024-08-21T15:21:58.943943+0200
SID:	2028377
Severity:	3
Source Port:	59311
Destination Port:	9101
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: f_000112

Avira: detected

Antivirus detection for dropped file

Source: C:\@WanaDecryptor@.exe

Avira: detection malicious, Label: TR/FileCoder.724645

Multi AV Scanner detection for dropped file

Source: C:\@WanaDecryptor@.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\Desktop\taskdl.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\taskse.exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\Desktop\u.wnry	ReversingLabs: Detection: 97%
Source: C:\Users\user\Documents\@WanaDecryptor@.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\Downloads\@WanaDecryptor@.exe	ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: f_000112

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\@WanaDecryptor@.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f_000112

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10004420 CryptGenRandom,	151_2_10004420
Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10004040 CryptExportKey,GlobalAlloc,CryptExportKey,_local_unwind2,CreateFileA,WriteFile,_local_unwind2,	151_2_10004040
Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10004170 CryptExportKey,CryptGetKeyParam,GlobalAlloc,GlobalFree,	151_2_10004170
Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10003BB0 GetFileAttributesA,CryptReleaseContext,	151_2_10003BB0

Source: f_000112

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:

Binary string: aC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.pngp\Symbols\ntkrnlmp.pdbiceHG source: f_000112.exe, 00000000.00000003.2247946530.0000000003720000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,		151_2_10002300
Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,		151_2_10004A40

Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\~SD3406.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\~SDBF32.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\Apps\~SD3407.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\~SD4A4C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\~SD3405.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\~SD3417.tmp	Jump to behavior

Networking

Found Tor onion address

Source: f_000112.exe, 00000000.00000002.2469078790.000000001000D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: f_000112.exe, 00000097.00000002.1487413082.0000000002620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zipk

Source: global traffic

TCP traffic: 192.168.2.16:59301 -> 162.159.36.2:53

Source: Network traffic	Suricata IDS: 2028377 - Severity 3 - ET JA3 Hash - Possible Malware - Malspam : 192.168.2.16:59311 -> 128.31.0.39:9101
Source: Network traffic	Suricata IDS: 2028377 - Severity 3 - ET JA3 Hash - Possible Malware - Malspam : 192.168.2.16:59310 -> 163.172.13.165:9001
Source: Network traffic	Suricata IDS: 2028377 - Severity 3 - ET JA3 Hash - Possible Malware - Malspam : 192.168.2.16:59312 -> 81.7.10.93:31337
Source: Network traffic	Suricata IDS: 2028377 - Severity 3 - ET JA3 Hash - Possible Malware - Malspam : 192.168.2.16:59313 -> 185.100.84.212:443

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2

Source: store.db.51.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/ftpk/2023/08/windows10.0-kb5011048-x6
Source: store.db.51.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2023/09/windows10.0-kb5001716-x6
Source: m_danish.wnry.0.dr	String found in binary or memory: http://schemas.micr
Source: store.db.51.dr	String found in binary or memory: http://tlu.d
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.d
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.de
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.del
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.deli
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.deliv
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delive
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.deliver
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.m
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.m
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.mi
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.mic
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.micr
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.micrBosoft.com/filestreamingservice/files/e5fd51e1-714d-4a9f-ad84-b9c7c9da
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.micraosoft.com/filestreamingservice/files/a730fbc0-b3e6-42bf-9776-5c1a9503
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.micro
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.micros
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.micros5oft.com/filestreamingservice/files/621f41c6-598e-4516-bb23-be21d146
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.microsLoft.com/filestreamingservice/files/ae12b07d-3012-4812-92a3-bdc1df33
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.microso
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.microsof
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.microsoft
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.microsoft.
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.microsoft.8com/filestreamingservice/files/1e08863d-491b-4609-a0f8-bd8fb8ab
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.microsoft.c
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.microsoft.co
Source: store.db.51.dr	String found in binary or memory: http://tlu.dl.delivery.mp.microsoft.coEm/filestreamingservice/files/17a1f764-1e22-4005-ad95-0bc97022
Source: svchost.exe, 0000002B.00000002.1368381981.0000021CF6013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: f_000112.exe, 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
Source: f_000112.exe, 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600
Source: f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600000.1&cta
Source: f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: svchost.exe, 0000002B.00000002.1368787378.0000021CF605A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368895493.0000021CF6081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367593072.0000021CF605B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368828355.0000021CF6065000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367359562.0000021CF605E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000002B.00000003.1367209624.0000021CF6067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000002B.00000003.1366869450.0000021CF6085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000002B.00000002.1368644717.0000021CF603F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367593072.0000021CF605B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368828355.0000021CF6065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000002B.00000003.1367209624.0000021CF6067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368487965.0000021CF602B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000002B.00000002.1368644717.0000021CF603F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000002B.00000002.1368747089.0000021CF6052000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: f_000112.exe, 00000000.00000002.2469078790.000000001000D000.00000004.00001000.00020000.00000000.sdmp, f_000112.exe, 00000097.00000002.1487413082.0000000002620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: f_000112.exe, 00000097.00000002.1487413082.0000000002620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zipk
Source: svchost.exe, 0000002B.00000003.1367627141.0000021CF6044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000002B.00000002.1368747089.0000021CF6052000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000002B.00000003.1367657109.0000021CF6054000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367359562.0000021CF605E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000002B.00000003.1367627141.0000021CF6044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368828355.0000021CF6065000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367359562.0000021CF605E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368747089.0000021CF6052000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000002B.00000003.1367209624.0000021CF6067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368487965.0000021CF602B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CLXfQbX4pbW4QbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: svchost.exe, 0000002B.00000003.1367718661.0000021CF6031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak
Source: svchost.exe, 0000002B.00000003.1367718661.0000021CF6031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dyn
Source: svchost.exe, 0000002B.00000003.1367718661.0000021CF6031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.v
Source: svchost.exe, 0000002B.00000003.1367657109.0000021CF6054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000002B.00000003.1367718661.0000021CF6031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odv
Source: svchost.exe, 0000002B.00000003.1367718661.0000021CF6031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs
Source: svchost.exe, 0000002B.00000003.1367627141.0000021CF6044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000002B.00000002.1368543054.0000021CF603B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000002B.00000002.1368487965.0000021CF602B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000002B.00000002.1368787378.0000021CF605A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_39e4b8f6fd6635158ad433436bdaa069841cfdf8e1989e03
Source: f_000112.exe, 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=how
Source: f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Spam, unwanted Advertisements and Ransom Demands

Yara detected Conti ransomware

Source: Yara match

File source: Process Memory Space: f_000112.exe PID: 6872, type: MEMORYSTR

Yara detected Wannacry ransomware

Source: Yara match	File source: f_000112, type: SAMPLE
Source: Yara match	File source: 0.0.f_000112.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f_000112.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\u.wnry, type: DROPPED

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\f_000112.exe

Code function: 151_2_10004F20 swprintf,swprintf,MultiByteToWideChar,CopyFileW,CopyFileW,GetUserNameW,_wcsicmp,SystemParametersInfoW,swprintf,CopyFileW,

151_2_10004F20

Deletes shadow drive data (may be related to ransomware)

Source: f_000112.exe, 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: f_000112.exe, 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\f_000112.exe	File moved: C:\Users\user\Desktop\NYMMPCEIMA.png	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File deleted: C:\Users\user\Desktop\NYMMPCEIMA.png	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File moved: C:\Users\user\Desktop\EFOYFBOLXA\GRXZDKKVDB.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File deleted: C:\Users\user\Desktop\EFOYFBOLXA\GRXZDKKVDB.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File moved: C:\Users\user\Desktop\DUUDTUBZFW.png	Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOqiqEgQ2[1].js.WNCRYT entropy: 7.99509902057	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\microsoft-365-logo-01d5ecd01a[1].png.WNCRYT entropy: 7.99066149925	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-bootstrap-5e7af218e953d095fabf[1].js.WNCRYT entropy: 7.99782986143	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-mru.2ce72562ad7c0ae7059c.chunk.v7[1].js.WNCRYT entropy: 7.99504603508	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\pwa-vendor-bundle-ba2888a24179bf152f3d[1].js.WNCRYT entropy: 7.99974769469	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\otel-logger-104bffe9378b8041455c[1].js.WNCRYT entropy: 7.99821082456	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-bundle-3a99f64809c6780df035[1].js.WNCRYT entropy: 7.99984836552	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\staticpwascripts-30998bff8f[1].js.WNCRYT entropy: 7.99004377911	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\1Sd5265G8OlnRColAI8O_SxSQ1Q.br[1].js.WNCRYT entropy: 7.99860878635	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\1_gc11zDuaJOyBP7gyptBGdPRf4.br[1].js.WNCRYT entropy: 7.9966696445	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js.WNCRYT entropy: 7.9958056876	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\6qhc82nhlRe74lC1CBjrzThsaXw.br[1].js.WNCRYT entropy: 7.99561737421	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_tracking_page_validator.js.WNCRYT entropy: 7.99771738528	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js.WNCRYT entropy: 7.99883776785	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\EYNLM9RfkEXFtD8WH1unvJjwzGA.br[1].js.WNCRYT entropy: 7.99031331592	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\f8FI06PDUmw1Zws81nUDYY3bWsY.br[1].js.WNCRYT entropy: 7.99639203867	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\shopping_iframe_driver.js.WNCRYT entropy: 7.99294208946	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.WNCRYT entropy: 7.99989195338	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\HSDak9V_lmtkNU64sorwQW-6T38.br[1].js.WNCRYT entropy: 7.9998840941	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.bundle.js.WNCRYT entropy: 7.9999324125	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\Ix6gLNUjdsfo1b44Xv9sX0Ilnxw.br[1].js.WNCRYT entropy: 7.99803196969	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.WNCRYT entropy: 7.99977036343	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\Kwh038ybdvX_puLwdopqHydJtVM.br[1].js.WNCRYT entropy: 7.9996193446	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.WNCRYT entropy: 7.99950569577	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\lh0O3d6Fmm9PYPDqG8PqHJ4MS7w.br[1].js.WNCRYT entropy: 7.99776097152	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\LisgCZCwGQ4lRz4go9tlwPslw_k.br[1].js.WNCRYT entropy: 7.99021737353	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\oneDs_f2e0f4a029670f10d892[1].js.WNCRYT entropy: 7.99901138487	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\lpbsfnKE_8agtRF97FH08WFLR1w.br[1].js.WNCRYT entropy: 7.99943627289	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT entropy: 7.99991047054	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg.WNCRYT entropy: 7.9981571699	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\MgSq5EEOyYvlI1qVlLOXfgRHmzM.br[1].js.WNCRYT entropy: 7.99843051687	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg.WNCRYT entropy: 7.99833050334	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\MR6Zgdyo2coaDBmJxRBOLkPvlpk.br[1].js.WNCRYT entropy: 7.99928500934	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT entropy: 7.99965278262	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT entropy: 7.99928673199	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT entropy: 7.99747110655	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\Ov6JSivEymftttgBEDwd3JIRgz0.br[1].js.WNCRYT entropy: 7.99930838696	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\RfoQ_WQ8YccBpTTC1JFx7r-9GWU.br[1].js.WNCRYT entropy: 7.99912190854	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\UHyc3IjuWFO6s9IoOlmmJWw7Jqs.br[1].js.WNCRYT entropy: 7.99966483621	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.WNCRYT entropy: 7.99961219602	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\vPBP7RPIJrbNZlhe-HUXYkcDX0A.br[1].js.WNCRYT entropy: 7.99695083304	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.WNCRYT entropy: 7.99939966648	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\x9TiBFKPhYF4yOf0IfKaPIf64qI.br[1].js.WNCRYT entropy: 7.99834529963	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.WNCRYT entropy: 7.99967547069	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\xO01H2dEYfjtj69ouv_nR5Al0cU.br[1].js.WNCRYT entropy: 7.99890728023	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\ZNvOyS-r2rT3Al22ByUYXLQ5kPY.br[1].js.WNCRYT entropy: 7.99820879258	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.WNCRYT entropy: 7.99987965383	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7[1].js.WNCRYT entropy: 7.99479507597	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{0DD3376E-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT entropy: 7.99951164696	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133687200080523294.txt.WNCRYT entropy: 7.99850933981	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7[1].js.WNCRYT entropy: 7.99020572897	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db.WNCRYT entropy: 7.99825062911	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-forms-group~mru~officeforms-group-forms~officeforms-my-forms~places.bcdc404c7fe22f14ccad.chunk.v7[1].js.WNCRYT entropy: 7.99616459662	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f7654fd4-7ecd-4743-acf3-b2a165fc8601}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99513083513	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.WNCRYT entropy: 7.99822583324	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db.WNCRYT entropy: 7.99736776038	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2[1].js.WNCRYT entropy: 7.99956402558	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2[1].js.WNCRYT entropy: 7.99954179951	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133687200380752461.txt.WNCRYT entropy: 7.99858613173	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db.WNCRYT entropy: 7.99815323882	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT entropy: 7.99968825896	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\sharedscripts-939520eada[1].js.WNCRYT entropy: 7.99631525668	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db.WNCRYT entropy: 7.99913816436	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99987199429	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db.WNCRYT entropy: 7.99926317248	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99988517552	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT entropy: 7.99967597937	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\6hU_LneafI_NFLeDvM367ebFaKQ[1].js.WNCRYT entropy: 7.99108029181	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js.WNCRYT entropy: 7.99866131333	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\WwF5sNrjseqq673SafWJ8p6dARY[1].js.WNCRYT entropy: 7.99690980752	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRYT entropy: 7.99967895258	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\X6j0qPgNij1n_IogMJrgYaT9Kp8[1].js.WNCRYT entropy: 7.99103029736	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT entropy: 7.99964810598	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRYT entropy: 7.9940438706	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRYT entropy: 7.99297205569	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb.WNCRYT entropy: 7.99891561265	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.WNCRYT entropy: 7.99043325525	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT entropy: 7.99998890747	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRYT entropy: 7.99906229113	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\WelcomeFax.tif.WNCRYT entropy: 7.99801036984	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT entropy: 7.99620901969	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT entropy: 7.99452910142	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\operations.db.WNCRYT entropy: 7.99998354956	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT entropy: 7.99849814956	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.WNCRYT entropy: 7.99170075258	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT entropy: 7.99625965637	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT entropy: 7.99867980243	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT entropy: 7.99382288564	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db.WNCRYT entropy: 7.9993660955	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRYT entropy: 7.99930389397	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000d.db.WNCRYT entropy: 7.99936877069	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.99969733901	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt.WNCRYT entropy: 7.99238251738	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.DB.WNCRYT entropy: 7.99988449679	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\en-us.16\stream.x86.en-us.db.WNCRYT entropy: 7.9996111697	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\x-none.16\stream.x86.x-none.db.WNCRYT entropy: 7.99987887068	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRYT entropy: 7.99774622888	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Temp\user.bmp.WNCRYT entropy: 7.99971817107	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Temp\jones.bmp.WNCRYT entropy: 7.99968992864	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT entropy: 7.99137432533	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT entropy: 7.99983638734	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.WNCRYT entropy: 7.99621143518	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT entropy: 7.99373344313	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT entropy: 7.99970509506	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT entropy: 7.99237029198	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT entropy: 7.99189745831	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.WNCRYT entropy: 7.99285905753	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\hero-image-desktop-f6720a4145[1].jpg.WNCRYT entropy: 7.99880559128	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133517913551623871.txt.WNCRYT entropy: 7.99833583443	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133517913644287936.txt.WNCRYT entropy: 7.99827150982	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\eventpage_bin_prod.js.WNCRYT entropy: 7.99743820869	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT entropy: 7.99980597239	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133687199480522568.txt.WNCRYT entropy: 7.99835380864	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT entropy: 7.99994121492	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133687199780329628.txt.WNCRYT entropy: 7.99810350811	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT entropy: 7.99992629	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsconversions.txt.WNCRYT entropy: 7.99987813748	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT entropy: 7.99991331686	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsglobals.txt.WNCRYT entropy: 7.99948552777	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT entropy: 7.996236762	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appssynonyms.txt.WNCRYT entropy: 7.99924029745	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT entropy: 7.99981883797	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsglobals.txt.WNCRYT entropy: 7.99613953662	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT entropy: 7.99977748076	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{40385465-94d7-4db6-a4cb-fc8229e20afa}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99460204066	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT entropy: 7.99983931092	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4b6fb67e-d996-419d-8681-98d6e0bd0771}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99599013012	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT entropy: 7.99980742155	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qoVhSFA2[1].js.WNCRYT entropy: 7.99552800442	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cf92e777-46b8-4fc9-af99-a04f95a19936}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99479625809	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT entropy: 7.99995438005	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsconversions.txt.WNCRYT entropy: 7.99963556132	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\Desktop\s.wnry entropy: 7.998263053	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\Desktop\t.wnry entropy: 7.99727613788	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT entropy: 7.9968302518	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingssynonyms.txt.WNCRYT entropy: 7.99815123661	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT entropy: 7.99984167465	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99919373518	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.WNCRYT entropy: 7.99185750145	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99922045547	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db.WNCRYT entropy: 7.99460896225	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_driver.js.WNCRYT entropy: 7.99989120973	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\product_page.js.WNCRYT entropy: 7.99982974607	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping.js.WNCRYT entropy: 7.99996574621	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shoppingfre.js.WNCRYT entropy: 7.99946752358	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\edge_driver.js.WNCRYT entropy: 7.99991360734	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db.WNCRYT entropy: 7.99025328079	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\auto_open_controller.js.WNCRYT entropy: 7.99983485019	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_checkout_page_validator.js.WNCRYT entropy: 7.99980482801	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_confirmation_page_validator.js.WNCRYT entropy: 7.99982187432	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst.WNCRYT entropy: 7.99934806001	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst entropy: 7.99929825008	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst.WNCRY (copy) entropy: 7.99934806001	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy) entropy: 7.99964810598	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\acrobat_sbx\acroNGLLog.txt.WNCRY (copy) entropy: 7.99238251738	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRY (copy) entropy: 7.99774622888	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy) entropy: 7.99970509506	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\hero-image-desktop-f6720a4145[1].jpg.WNCRY (copy) entropy: 7.99880559128	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133517913551623871.txt.WNCRY (copy) entropy: 7.99833583443	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133517913644287936.txt.WNCRY (copy) entropy: 7.99827150982	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133687199480522568.txt.WNCRY (copy) entropy: 7.99835380864	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133687199780329628.txt.WNCRY (copy) entropy: 7.99810350811	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsconversions.txt.WNCRY (copy) entropy: 7.99987813748	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsglobals.txt.WNCRY (copy) entropy: 7.99948552777	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appssynonyms.txt.WNCRY (copy) entropy: 7.99924029745	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsglobals.txt.WNCRY (copy) entropy: 7.99613953662	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{40385465-94d7-4db6-a4cb-fc8229e20afa}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99460204066	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4b6fb67e-d996-419d-8681-98d6e0bd0771}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99599013012	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cf92e777-46b8-4fc9-af99-a04f95a19936}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99479625809	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsconversions.txt.WNCRY (copy) entropy: 7.99963556132	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingssynonyms.txt.WNCRY (copy) entropy: 7.99815123661	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99919373518	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99922045547	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133687200080523294.txt.WNCRY (copy) entropy: 7.99850933981	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f7654fd4-7ecd-4743-acf3-b2a165fc8601}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99513083513	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Temp\61.WNCRYT (copy) entropy: 7.99929825008	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133687200380752461.txt.WNCRY (copy) entropy: 7.99858613173	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\EventStore.db.WNCRY (copy) entropy: 7.99815323882	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.WNCRY (copy) entropy: 7.99968825896	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.WNCRY (copy) entropy: 7.99967597937	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRY (copy) entropy: 7.99967895258	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRY (copy) entropy: 7.9940438706	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRY (copy) entropy: 7.99297205569	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb.WNCRY (copy) entropy: 7.99891561265	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY (copy) entropy: 7.99998890747	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRY (copy) entropy: 7.99906229113	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\WelcomeFax.tif.WNCRY (copy) entropy: 7.99801036984	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY (copy) entropy: 7.99620901969	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY (copy) entropy: 7.99452910142	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\operations.db.WNCRY (copy) entropy: 7.99998354956	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY (copy) entropy: 7.99849814956	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY (copy) entropy: 7.99625965637	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY (copy) entropy: 7.99867980243	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY (copy) entropy: 7.99382288564	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db.WNCRY (copy) entropy: 7.9993660955	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRY (copy) entropy: 7.99930389397	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000d.db.WNCRY (copy) entropy: 7.99936877069	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRY (copy) entropy: 7.99969733901	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.DB.WNCRY (copy) entropy: 7.99988449679	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\en-us.16\stream.x86.en-us.db.WNCRY (copy) entropy: 7.9996111697	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\x-none.16\stream.x86.x-none.db.WNCRY (copy) entropy: 7.99987887068	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\user.bmp.WNCRY (copy) entropy: 7.99971817107	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jones.bmp.WNCRY (copy) entropy: 7.99968992864	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\excel.exe.db.WNCRY (copy) entropy: 7.99137432533	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRY (copy) entropy: 7.99983638734	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\first_party_sets.db.WNCRY (copy) entropy: 7.99621143518	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\databases\Databases.db.WNCRY (copy) entropy: 7.99373344313	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRY (copy) entropy: 7.99237029198	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRY (copy) entropy: 7.99189745831	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\officesetup.exe.db.WNCRY (copy) entropy: 7.99285905753	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_16.db.WNCRY (copy) entropy: 7.99980597239	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_256.db.WNCRY (copy) entropy: 7.99994121492	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_32.db.WNCRY (copy) entropy: 7.99992629	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_48.db.WNCRY (copy) entropy: 7.99991331686	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRY (copy) entropy: 7.996236762	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRY (copy) entropy: 7.99981883797	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY (copy) entropy: 7.99977748076	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY (copy) entropy: 7.99983931092	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRY (copy) entropy: 7.99980742155	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY (copy) entropy: 7.99995438005	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY (copy) entropy: 7.9968302518	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpndatabase.db.WNCRY (copy) entropy: 7.99984167465	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\18e190413af045db88dfbd29609eb877.db.WNCRY (copy) entropy: 7.99185750145	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db.WNCRY (copy) entropy: 7.99460896225	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_driver.js.WNCRY (copy) entropy: 7.99989120973	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\product_page.js.WNCRY (copy) entropy: 7.99982974607	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping.js.WNCRY (copy) entropy: 7.99996574621	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shoppingfre.js.WNCRY (copy) entropy: 7.99946752358	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\edge_driver.js.WNCRY (copy) entropy: 7.99991360734	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db.WNCRY (copy) entropy: 7.99025328079	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\auto_open_controller.js.WNCRY (copy) entropy: 7.99983485019	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_checkout_page_validator.js.WNCRY (copy) entropy: 7.99980482801	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_confirmation_page_validator.js.WNCRY (copy) entropy: 7.99982187432	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_tracking_page_validator.js.WNCRY (copy) entropy: 7.99771738528	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\shopping_iframe_driver.js.WNCRY (copy) entropy: 7.99294208946	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.WNCRY (copy) entropy: 7.99989195338	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.bundle.js.WNCRY (copy) entropy: 7.9999324125	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.WNCRY (copy) entropy: 7.99977036343	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.WNCRY (copy) entropy: 7.99950569577	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\90SNK17T\oneDs_f2e0f4a029670f10d892[1].js.WNCRY (copy) entropy: 7.99901138487	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRY (copy) entropy: 7.99991047054	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg.WNCRY (copy) entropy: 7.9981571699	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg.WNCRY (copy) entropy: 7.99833050334	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRY (copy) entropy: 7.99965278262	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRY (copy) entropy: 7.99928673199	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRY (copy) entropy: 7.99747110655	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.WNCRY (copy) entropy: 7.99961219602	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.WNCRY (copy) entropy: 7.99939966648	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.WNCRY (copy) entropy: 7.99967547069	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.WNCRY (copy) entropy: 7.99987965383	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{0DD3376E-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRY (copy) entropy: 7.99951164696	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db.WNCRY (copy) entropy: 7.99825062911	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.WNCRY (copy) entropy: 7.99822583324	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db.WNCRY (copy) entropy: 7.99736776038	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2[1].js.WNCRY (copy) entropy: 7.99956402558	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2[1].js.WNCRY (copy) entropy: 7.99954179951	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\sharedscripts-939520eada[1].js.WNCRY (copy) entropy: 7.99631525668	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.edb.WNCRY (copy) entropy: 7.99987199429	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRY (copy) entropy: 7.99988517552	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\6hU_LneafI_NFLeDvM367ebFaKQ[1].js.WNCRY (copy) entropy: 7.99108029181	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js.WNCRY (copy) entropy: 7.99866131333	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\WwF5sNrjseqq673SafWJ8p6dARY[1].js.WNCRY (copy) entropy: 7.99690980752	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\X6j0qPgNij1n_IogMJrgYaT9Kp8[1].js.WNCRY (copy) entropy: 7.99103029736	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.WNCRY (copy) entropy: 7.99043325525	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.WNCRY (copy) entropy: 7.99170075258	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\eventpage_bin_prod.js.WNCRY (copy) entropy: 7.99743820869	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qoVhSFA2[1].js.WNCRY (copy) entropy: 7.99552800442	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\AN5UOLP8\ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOqiqEgQ2[1].js.WNCRY (copy) entropy: 7.99509902057	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\microsoft-365-logo-01d5ecd01a[1].png.WNCRY (copy) entropy: 7.99066149925	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-bootstrap-5e7af218e953d095fabf[1].js.WNCRY (copy) entropy: 7.99782986143	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\6EVGB5XB\pwa-mru.2ce72562ad7c0ae7059c.chunk.v7[1].js.WNCRY (copy) entropy: 7.99504603508	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\pwa-vendor-bundle-ba2888a24179bf152f3d[1].js.WNCRY (copy) entropy: 7.99974769469	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\otel-logger-104bffe9378b8041455c[1].js.WNCRY (copy) entropy: 7.99821082456	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-bundle-3a99f64809c6780df035[1].js.WNCRY (copy) entropy: 7.99984836552	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\staticpwascripts-30998bff8f[1].js.WNCRY (copy) entropy: 7.99004377911	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\1Sd5265G8OlnRColAI8O_SxSQ1Q.br[1].js.WNCRY (copy) entropy: 7.99860878635	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\1_gc11zDuaJOyBP7gyptBGdPRf4.br[1].js.WNCRY (copy) entropy: 7.9966696445	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js.WNCRY (copy) entropy: 7.9958056876	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\6qhc82nhlRe74lC1CBjrzThsaXw.br[1].js.WNCRY (copy) entropy: 7.99561737421	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js.WNCRY (copy) entropy: 7.99883776785	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\EYNLM9RfkEXFtD8WH1unvJjwzGA.br[1].js.WNCRY (copy) entropy: 7.99031331592	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\f8FI06PDUmw1Zws81nUDYY3bWsY.br[1].js.WNCRY (copy) entropy: 7.99639203867	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\HSDak9V_lmtkNU64sorwQW-6T38.br[1].js.WNCRY (copy) entropy: 7.9998840941	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\Ix6gLNUjdsfo1b44Xv9sX0Ilnxw.br[1].js.WNCRY (copy) entropy: 7.99803196969	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\Kwh038ybdvX_puLwdopqHydJtVM.br[1].js.WNCRY (copy) entropy: 7.9996193446	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\lh0O3d6Fmm9PYPDqG8PqHJ4MS7w.br[1].js.WNCRY (copy) entropy: 7.99776097152	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\LisgCZCwGQ4lRz4go9tlwPslw_k.br[1].js.WNCRY (copy) entropy: 7.99021737353	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\lpbsfnKE_8agtRF97FH08WFLR1w.br[1].js.WNCRY (copy) entropy: 7.99943627289	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\MgSq5EEOyYvlI1qVlLOXfgRHmzM.br[1].js.WNCRY (copy) entropy: 7.99843051687	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\MR6Zgdyo2coaDBmJxRBOLkPvlpk.br[1].js.WNCRY (copy) entropy: 7.99928500934	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\Ov6JSivEymftttgBEDwd3JIRgz0.br[1].js.WNCRY (copy) entropy: 7.99930838696	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\RfoQ_WQ8YccBpTTC1JFx7r-9GWU.br[1].js.WNCRY (copy) entropy: 7.99912190854	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\UHyc3IjuWFO6s9IoOlmmJWw7Jqs.br[1].js.WNCRY (copy) entropy: 7.99966483621	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\vPBP7RPIJrbNZlhe-HUXYkcDX0A.br[1].js.WNCRY (copy) entropy: 7.99695083304	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\x9TiBFKPhYF4yOf0IfKaPIf64qI.br[1].js.WNCRY (copy) entropy: 7.99834529963	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\xO01H2dEYfjtj69ouv_nR5Al0cU.br[1].js.WNCRY (copy) entropy: 7.99890728023	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\ZNvOyS-r2rT3Al22ByUYXLQ5kPY.br[1].js.WNCRY (copy) entropy: 7.99820879258	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7[1].js.WNCRY (copy) entropy: 7.99479507597	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\0JQ5B395\pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7[1].js.WNCRY (copy) entropy: 7.99020572897	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\pwa-forms-group~mru~officeforms-group-forms~officeforms-my-forms~places.bcdc404c7fe22f14ccad.chunk.v7[1].js.WNCRY (copy) entropy: 7.99616459662	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db.WNCRY (copy) entropy: 7.99913816436	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db.WNCRY (copy) entropy: 7.99926317248	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: f_000112, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: f_000112, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: f_000112, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.f_000112.exe.957150.0.unpack, type: UNPACKEDPE	Matched rule: WanaCry Payload Author: kevoreilly
Source: 151.2.f_000112.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: WanaCry Payload Author: kevoreilly
Source: 151.2.f_000112.exe.ac6d78.0.raw.unpack, type: UNPACKEDPE	Matched rule: WanaCry Payload Author: kevoreilly
Source: 151.2.f_000112.exe.ac6d78.0.unpack, type: UNPACKEDPE	Matched rule: WanaCry Payload Author: kevoreilly
Source: 0.2.f_000112.exe.957150.0.raw.unpack, type: UNPACKEDPE	Matched rule: WanaCry Payload Author: kevoreilly
Source: 0.0.f_000112.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.0.f_000112.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.f_000112.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 00000000.00000000.1182915261.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000097.00000002.1486778003.000000000040F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth

Source: C:\Users\user\Desktop\f_000112.exe

Process Stats: CPU usage > 24%

Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPEB70.tmp
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPCB80.tmp

Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10006940	151_2_10006940
Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10006640	151_2_10006640
Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10006280	151_2_10006280
Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10005DC0	151_2_10005DC0

Source: f_000112	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: taskdl.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: f_000112.exe, 00000000.00000003.1188562548.00000000025E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs f_000112
Source: f_000112.exe, 00000000.00000003.1203475391.000000000097D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs f_000112
Source: f_000112.exe, 00000000.00000003.1188597824.00000000025D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs f_000112
Source: f_000112.exe, 00000000.00000002.2435327186.0000000000948000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekbdlv.dllj% vs f_000112
Source: f_000112.exe, 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs f_000112
Source: f_000112.exe, 00000097.00000002.1487119957.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekbdlv.dllj% vs f_000112
Source: f_000112.exe, 00000097.00000002.1488015515.000000001000E000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekbdlv.dllj% vs f_000112
Source: f_000112	Binary or memory string: OriginalFilenamediskpart.exej% vs f_000112

Source: f_000112

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: f_000112, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: f_000112, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: f_000112, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.f_000112.exe.957150.0.unpack, type: UNPACKEDPE	Matched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
Source: 151.2.f_000112.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
Source: 151.2.f_000112.exe.ac6d78.0.raw.unpack, type: UNPACKEDPE	Matched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
Source: 151.2.f_000112.exe.ac6d78.0.unpack, type: UNPACKEDPE	Matched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
Source: 0.2.f_000112.exe.957150.0.raw.unpack, type: UNPACKEDPE	Matched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
Source: 0.0.f_000112.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.f_000112.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.f_000112.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000000.1182915261.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000097.00000002.1486778003.000000000040F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: f_000112.exe, 00000000.00000003.1203475391.000000000097D000.00000004.00000020.00020000.00000000.sdmp, f_000112.exe, 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
Source: f_000112.exe, 00000000.00000002.2435327186.0000000000948000.00000004.00000020.00020000.00000000.sdmp, f_000112.exe, 00000097.00000002.1487961054.000000001000C000.00000004.00001000.00020000.00000000.sdmp, f_000112.exe, 00000097.00000002.1487119957.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.edb.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.dotx.dotm.dot.docm.docb.jpg.jpeg.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.eml.msg.ost.pst.pptx.ppt.xlsx.xls.docx.doc%s\%d%s.WNCRYT%s%sTWANACRY!.WNCRY.WNCYR\\@WanaDecryptor@.bmp@WanaDecryptor@.exe.lnk@Please_Read_Me@.txt%s\%s...%s\*.dll.exe~SD@WanaDecryptor@.exeContent.IE5Temporary Internet Files This folder protects against ransomware. Modifying it will reduce protection\Local Settings\Temp\AppData\Local\Temp\Program Files (x86)\Program Files\WINDOWS\ProgramData\Intel$\CloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Source: f_000112	Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.evad.win@910/1176@0/0

Source: C:\Users\user\Desktop\f_000112.exe

Code function: 151_2_10005540 GetDriveTypeW,InterlockedExchangeAdd,GetDiskFreeSpaceExW,Sleep,GetDiskFreeSpaceExW,Sleep,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,InterlockedExchange,GetDriveTypeW,

151_2_10005540

Source: C:\Users\user\Desktop\f_000112.exe

File created: C:\Users\user\Desktop\b.wnry

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Mutant created: \BaseNamedObjects\Global\MoUsoCoreworkerRunning
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Users\user\Desktop\f_000112.exe	Mutant created: \Sessions\1\BaseNamedObjects\MsWinZonesCacheCounterMutexA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03
Source: C:\Users\user\Desktop\f_000112.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MsWinZonesCacheCounterMutexA0

Source: C:\Users\user\Desktop\f_000112.exe

File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Temp\~SD7545.tmp

Jump to behavior

Source: C:\Users\user\Desktop\f_000112.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 234691724246428.bat

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs

Source: f_000112

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\cscript.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\f_000112.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: f_000112

ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Users\user\Desktop\f_000112.exe "C:\Users\user\Desktop\f_000112.exe"
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 234691724246428.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\System32\MoUsoCoreWorker.exe C:\Windows\System32\mousocoreworker.exe -Embedding
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv sLtwoH0bEUKG+NxKNhh+6w.0.2
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\f_000112.exe "C:\Users\user\Desktop\f_000112.exe"
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 234691724246428.bat
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\f_000112.exe	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dmiso8601utils.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: updatepolicy.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: winsqlite3.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: usocoreps.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: upshared.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: wuapi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: wups.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: usoapi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: windows.web.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: wosc.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dusmapi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dcntel.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: utcutil.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: slc.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: enrollmentapi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dmenrollengine.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: onesettingsclient.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: webio.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: utcutil.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dcntel.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: aepic.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: windows.system.profile.platformdiagnosticsandusagedatasettings.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: fcon.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: windows.security.authentication.onlineid.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: utcutil.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dcntel.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: aepic.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: utcutil.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dcntel.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: aepic.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: utcutil.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dcntel.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: aepic.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dcntel.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: utcutil.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: slc.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: enrollmentapi.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: dmenrollengine.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\MoUsoCoreWorker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\f_000112.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: f_000112

Static file information: File size 3514368 > 1048576

Source: f_000112

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x34a000

Source:

Source: C:\Users\user\Desktop\f_000112.exe

Code function: 151_2_10003410 wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

151_2_10003410

Source: C:\Users\user\Desktop\f_000112.exe

Code function: 151_2_10006BD0 push eax; ret

151_2_10006BFE

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\m.vbs

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\f_000112.exe

File created: C:\Users\user\Documents\@WanaDecryptor@.exe

Jump to dropped file

Uses cmd line tools excessively to alter registry or file data

Source: C:\Users\user\Desktop\f_000112.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\f_000112.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\Desktop\taskdl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\Desktop\taskse.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\Documents\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\Downloads\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Users\user\Desktop\u.wnry	Jump to dropped file

Source: C:\Users\user\Desktop\f_000112.exe

File created: C:\Users\user\Desktop\u.wnry

Jump to dropped file

Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD5F9E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD5F9F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD5FA0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD344B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD344C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD1E8B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD1E8C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\~SD1E8D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\~SD1E8E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD1E9E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD1E9F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SD1EA0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SD1EA1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD1EA2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SD1EA3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\~SD1EA4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\~SD1EA5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\~SD1EA6.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SDF34C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SDF34D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\7-Zip\~SDF34E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\~SDF34F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SDF350.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SDF351.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SDF362.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SDF363.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SDF364.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SDF365.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SDF366.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\~SDF367.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\~SDF368.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD3CC5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD3CC6.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\~SD3CC7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\~SD3CC8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD3CD8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\~SD3CD9.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD3CDA.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SD3CDB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SD3CDC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD3CDD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD3CDE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SD3CDF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office Tools\~SD3CE0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\~SD3CF1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\~SD3CF2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\~SD3CF3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD86AA.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD86AB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\7-Zip\~SD86AC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\~SD86AD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SD86AE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\~SD86BF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD86C0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD86C1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD86C2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD86C3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SD86E3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD86F4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\~SD8704.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SD8705.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\~SD8706.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\~SDFBD9.tmp	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\f_000112.exe

File created: C:\$Recycle.Bin\~SD1609.tmp

Jump to behavior

Source: C:\Users\user\Desktop\f_000112.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\f_000112.exe

Code function: 151_2_10004790

151_2_10004790

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\MoUsoCoreWorker.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\System32\MoUsoCoreWorker.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\System32\MoUsoCoreWorker.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\System32\MoUsoCoreWorker.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\System32\MoUsoCoreWorker.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\System32\MoUsoCoreWorker.exe	System information queried: FirmwareTableInformation

Source: C:\Users\user\Desktop\f_000112.exe	Window / User API: threadDelayed 6639
Source: C:\Users\user\Desktop\f_000112.exe	Window / User API: threadDelayed 1028

Source: C:\Users\user\Desktop\f_000112.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	Dropped PE file which has not been started: C:\Users\user\Documents\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\taskse.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	Dropped PE file which has not been started: C:\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	Dropped PE file which has not been started: C:\Users\user\Downloads\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\f_000112.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\u.wnry	Jump to dropped file

Source: C:\Users\user\Desktop\f_000112.exe

Evaded block: after key decision

graph_151-1452

Source: C:\Users\user\Desktop\f_000112.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_151-1615

Source: C:\Users\user\Desktop\f_000112.exe

API coverage: 0.8 %

Source: C:\Users\user\Desktop\f_000112.exe TID: 7040	Thread sleep count: 64 > 30
Source: C:\Users\user\Desktop\f_000112.exe TID: 7040	Thread sleep time: -64000s >= -30000s
Source: C:\Users\user\Desktop\f_000112.exe TID: 7044	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\Desktop\f_000112.exe TID: 7052	Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\Desktop\f_000112.exe TID: 7076	Thread sleep count: 36 > 30
Source: C:\Users\user\Desktop\f_000112.exe TID: 7076	Thread sleep time: -1080000s >= -30000s
Source: C:\Users\user\Desktop\f_000112.exe TID: 7040	Thread sleep count: 6639 > 30
Source: C:\Users\user\Desktop\f_000112.exe TID: 7040	Thread sleep time: -6639000s >= -30000s
Source: C:\Users\user\Desktop\f_000112.exe TID: 7048	Thread sleep count: 1028 > 30
Source: C:\Users\user\Desktop\f_000112.exe TID: 7048	Thread sleep time: -3084000s >= -30000s
Source: C:\Windows\System32\MoUsoCoreWorker.exe TID: 5868	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\SIHClient.exe TID: 4780	Thread sleep time: -90000s >= -30000s

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,		151_2_10002300
Source: C:\Users\user\Desktop\f_000112.exe	Code function: 151_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,		151_2_10004A40

Source: C:\Users\user\Desktop\f_000112.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\f_000112.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\~SD3406.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\~SDBF32.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\Apps\~SD3407.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\~SD4A4C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\~SD3405.tmp	Jump to behavior
Source: C:\Users\user\Desktop\f_000112.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\~SD3417.tmp	Jump to behavior

Source: store.db.51.dr	Binary or memory string: VMware SVGA 3D
Source: store.db.51.dr	Binary or memory string: VMware, Inc.
Source: store.db.51.dr	Binary or memory string: http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ccfa8ae1-3de7-46d7-a897-c8207e181b43?P1=1696331535&P2=404&P3=2&P4=U8tzlcVfvHbbpzMhxhgfsYXulfoiioa29F3hehhyrCbftohxlbYl06533b74%2bCdr0%2fjxlaNwreG6WuH1JeIX6A%3d%3d
Source: SIHClient.exe, 00000039.00000002.1576206696.000001D0DCF36000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000039.00000003.1282870797.000001D0DCF8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: store.db.51.dr	Binary or memory string: ;VMware, Inc. Display driver update released in April 2023Fhttp://schemas.microsoft.com/msus/2002/12/UpdateHandlers/WindowsDriver/http://support.microsoft.com/select/?target=hub!VMware, Inc. - Display - 9.17.6.3
Source: store.db.51.dr	Binary or memory string: http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2cd574c7-7f95-40ca-bf8e-0672877775b0?P1=1696331535&P2=404&P3=2&P4=DkYxDLYasZlIhhX63a0yDBM0tM%2bS4ze09HM%2fq6Lbn5hmJ7in%2b1CYq3Ql6GyQEmUvNHa7Ll20zSt66HLJpPgftQ%3d%3d
Source: SIHClient.exe, 00000039.00000003.1299362105.000001D0DCF95000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000039.00000003.1298223850.000001D0DCF95000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000039.00000003.1300380905.000001D0DCF95000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000039.00000003.1573082045.000001D0DCF95000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000039.00000003.1296124077.000001D0DCF95000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000039.00000003.1282870797.000001D0DCF8C000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000039.00000003.1295292415.000001D0DCF95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW/?Z

Source: C:\Users\user\Desktop\f_000112.exe

Code function: 151_2_10003410 wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

151_2_10003410

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs

Source: C:\Users\user\Desktop\f_000112.exe

Code function: 151_2_10001360 time,AllocateAndInitializeSid,time,CheckTokenMembership,FreeSid,

151_2_10001360

Source: C:\Windows\SysWOW64\cscript.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\f_000112.exe

Code function: 151_2_10004F20 swprintf,swprintf,MultiByteToWideChar,CopyFileW,CopyFileW,GetUserNameW,_wcsicmp,SystemParametersInfoW,swprintf,CopyFileW,

151_2_10004F20

Source: C:\Users\user\Desktop\f_000112.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	2 Windows Management Instrumentation	12 Scripting	1 DLL Side-Loading	1 Obfuscated Files or Information	OS Credential Dumping	1 Account Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	11 Process Injection	1 DLL Side-Loading	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Proxy	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 File Deletion	Security Account Manager	33 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Services File Permissions Weakness	1 Services File Permissions Weakness	21 Masquerading	NTDS	311 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	121 Virtualization/Sandbox Evasion	LSA Secrets	121 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Services File Permissions Weakness	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
f_000112	92%	ReversingLabs	Win32.Ransomware.WannaCry
f_000112	100%	Avira	TR/Ransom.JB
f_000112	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\@WanaDecryptor@.exe	100%	Avira	TR/FileCoder.724645
C:\@WanaDecryptor@.exe	100%	Joe Sandbox ML
C:\@WanaDecryptor@.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\AppData\Local\@WanaDecryptor@.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\@WanaDecryptor@.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\taskdl.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\taskse.exe	89%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\u.wnry	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Documents\@WanaDecryptor@.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Downloads\@WanaDecryptor@.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry

Name	Source	Malicious
http://tlu.dl.de	store.db.51.dr	false
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000002B.00000003.1367209624.0000021CF6067000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.mi	store.db.51.dr	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000002B.00000003.1367657109.0000021CF6054000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.microsoft.8com/filestreamingservice/files/1e08863d-491b-4609-a0f8-bd8fb8ab	store.db.51.dr	false
http://tlu.dl.delivery.mp.micrBosoft.com/filestreamingservice/files/e5fd51e1-714d-4a9f-ad84-b9c7c9da	store.db.51.dr	false
http://tlu.dl.delivery.	store.db.51.dr	false
http://tlu.dl	store.db.51.dr	false
http://tlu.dl.delivery.mp.micr	store.db.51.dr	false
http://tlu.dl.delivery.mp.microsoft.coEm/filestreamingservice/files/17a1f764-1e22-4005-ad95-0bc97022	store.db.51.dr	false
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368895493.0000021CF6081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367593072.0000021CF605B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368828355.0000021CF6065000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367359562.0000021CF605E000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000002B.00000002.1368487965.0000021CF602B000.00000004.00000020.00020000.00000000.sdmp	false
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s	f_000112.exe, 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	true
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odv	svchost.exe, 0000002B.00000003.1367718661.0000021CF6031000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.microsoft.co	store.db.51.dr	false
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000002B.00000002.1368747089.0000021CF6052000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.micros	store.db.51.dr	false
http://tlu.dl.deli	store.db.51.dr	false
http://tlu.dl.delivery.mp.microso	store.db.51.dr	false
https://www.google.com/search?q=how	f_000112.exe, 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	true
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how	f_000112.exe, 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	true
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zipk	f_000112.exe, 00000097.00000002.1487413082.0000000002620000.00000004.00000020.00020000.00000000.sdmp	true
http://tlu.dl.delivery.mp.microsoft.	store.db.51.dr	false
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_39e4b8f6fd6635158ad433436bdaa069841cfdf8e1989e03	f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.microsof	store.db.51.dr	false
http://www.bingmapsportal.com	svchost.exe, 0000002B.00000002.1368381981.0000021CF6013000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000002B.00000002.1368644717.0000021CF603F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367593072.0000021CF605B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368828355.0000021CF6065000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.del	store.db.51.dr	false
http://tlu.dl.delivery.mp	store.db.51.dr	false
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000002B.00000003.1367209624.0000021CF6067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368487965.0000021CF602B000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.m	store.db.51.dr	false
http://tlu.dl.deliv	store.db.51.dr	false
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.micro	store.db.51.dr	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000002B.00000003.1366869450.0000021CF6085000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000002B.00000003.1367209624.0000021CF6067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368487965.0000021CF602B000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000002B.00000002.1368644717.0000021CF603F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak	svchost.exe, 0000002B.00000003.1367718661.0000021CF6031000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs	svchost.exe, 0000002B.00000003.1367718661.0000021CF6031000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000002B.00000002.1368543054.0000021CF603B000.00000004.00000020.00020000.00000000.sdmp	false
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 0000002B.00000003.1367657109.0000021CF6054000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367359562.0000021CF605E000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery	store.db.51.dr	false
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.mic	store.db.51.dr	false
http://tlu.dl.	store.db.51.dr	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000002B.00000003.1367627141.0000021CF6044000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.micr	m_danish.wnry.0.dr	false
http://tlu.dl.delivery.mp.micraosoft.com/filestreamingservice/files/a730fbc0-b3e6-42bf-9776-5c1a9503	store.db.51.dr	false
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600	f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.micros5oft.com/filestreamingservice/files/621f41c6-598e-4516-bb23-be21d146	store.db.51.dr	false
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 0000002B.00000002.1368787378.0000021CF605A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	false
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CLXfQbX4pbW4QbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	false
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.microsLoft.com/filestreamingservice/files/ae12b07d-3012-4812-92a3-bdc1df33	store.db.51.dr	false
http://tlu.dl.delivery.mp.microsoft.c	store.db.51.dr	false
https://t0.ssl.ak.dyn	svchost.exe, 0000002B.00000003.1367718661.0000021CF6031000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.m	store.db.51.dr	false
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000002B.00000002.1368747089.0000021CF6052000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delive	store.db.51.dr	false
https://dynamic.t	svchost.exe, 0000002B.00000003.1367627141.0000021CF6044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368828355.0000021CF6065000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367359562.0000021CF605E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.1368747089.0000021CF6052000.00000004.00000020.00020000.00000000.sdmp	false
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.deliver	store.db.51.dr	false
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.microsoft	store.db.51.dr	false
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 0000002B.00000002.1368787378.0000021CF605A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp	false
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.d	store.db.51.dr	false
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696581201119.12791&key=1696581201400600000.1&cta	f_000112.exe, 00000000.00000002.2445942676.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000002B.00000003.1367422896.0000021CF6057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367461445.0000021CF6059000.00000004.00000020.00020000.00000000.sdmp	false
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip	f_000112.exe, 00000000.00000002.2469078790.000000001000D000.00000004.00001000.00020000.00000000.sdmp, f_000112.exe, 00000097.00000002.1487413082.0000000002620000.00000004.00000020.00020000.00000000.sdmp	true
https://t0.ssl.ak.dynamic.tiles.v	svchost.exe, 0000002B.00000003.1367718661.0000021CF6031000.00000004.00000020.00020000.00000000.sdmp	false
http://tlu.dl.delivery.mp.	store.db.51.dr	false
http://tlu.dl.d	store.db.51.dr	false
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000002B.00000003.1367627141.0000021CF6044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000003.1367271135.0000021CF6062000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1496614
Start date and time:	2024-08-21 15:18:58 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	206
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	f_000112
Detection:	MAL
Classification:	mal100.rans.evad.win@910/1176@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 56

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 51.104.136.2, 40.68.123.157, 20.166.126.56, 13.95.31.18
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, atm-settingsfe-prod-geo2.trafficmanager.net, login.live.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, settings-prod-neu-2.northeurope.cloudapp.azure.com, sls.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: f_000112

Simulations

Behavior and APIs

Time	Type	Description
09:19:28	API Interceptor	5528595x Sleep call for process: f_000112.exe modified
09:19:37	API Interceptor	6x Sleep call for process: MoUsoCoreWorker.exe modified
09:19:38	API Interceptor	3x Sleep call for process: SIHClient.exe modified
09:19:53	API Interceptor	1x Sleep call for process: dllhost.exe modified

Process:	C:\Users\user\Desktop\f_000112.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.708686542546707
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnrRQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3yhvWmMo+S
MD5:	F97D2E6F8D820DBD3B66F21137DE4F09
SHA1:	596799B75B5D60AA9CD45646F68E9C0BD06DF252
SHA-256:	0E5ECE918132A2B1A190906E74BECB8E4CED36EEC9F9D1C70F5DA72AC4C6B92A
SHA-512:	EFDA21D83464A6A32FDEEF93152FFD32A648130754FDD3635F7FF61CC1664F7FC050900F0F871B0DDD3A3846222BF62AB5DF8EED42610A76BE66FFF5F7B4C4C0
Malicious:	false
Yara Hits:	Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

Process:	C:\Windows\System32\MoUsoCoreWorker.exe
File Type:	SQLite 3.x database, user version 3, last written using SQLite version 3029000, file counter 576, database pages 2963, 1st free page 105, free pages 2946, cookie 0x6, schema 4, UTF-16 little endian, version-valid-for 576
Category:	dropped
Size (bytes):	12136448
Entropy (8bit):	3.8907223157127335
Encrypted:	false
SSDEEP:	49152:sOx9aksx+oxKqOjDdxapS0gHxNSJ1lIfBrpBxnInLfuVJs:X
MD5:	ACCD9A3C4754440643704E9BA9114844
SHA1:	EB072E77EABDBC6C442B42AFB37C8F06F7E40E82
SHA-256:	EC2F4640F7BA30A317002F2992983292EBC0F59FA6852482C6114372CFA68A02
SHA-512:	08F274B44B85FC2F61AA0A764330B7B2C718E6531BE0D9D6A690F9C8D61F0921AF9408E25C669411549C0ECFD612F4C529A962CD6EA3B41F8B60A4873D6931EC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...@.......i...........................................................@..8......................6..............................................................................................................................................................................................................................................................................................................................................l..!..A..i.n.d.e.x.s.q.l.i.t.e._.a.u.t.o.i.n.d.e.x._.P.R.O.V.I.D.E.R.S.P.R.O.P._.1.P.R.O.V.I.D.E.R.S.P.R.O.P...L..!AA...t.a.b.l.e.A.C.T.I.O.N.R.E.C.O.R.D.S.A.C.T.I.O.N.R.E.C.O.R.D.S..C.R.E.A.T.E. .T.A.B.L.E. .A.C.T.I.O.N.R.E.C.O.R.D.S. .(. . . . . . . . . . . . .P.R.O.V.I.D.E.R.I.D. . . . . . . . . . . . .T.E.X.T. .N.O.T. .N.U.L.L. .C.O.L.L.A.T.E. .N.O.C.A.S.E. .C.H.E.C.K.(.P.R.O.V.I.D.E.R.I.D. .<.>. .'.'.).,. . . . . . . . . . . . .U.P.D.A.T.E.I.D. . . . . . . . . . . . . . .T.E.X.T. .N.O.T. .N.U.L.L. .C.O.L.L.A.T.E. .N.O.C.A.S.E. .C.H.E

Process:	C:\Windows\SysWOW64\cscript.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 21 12:19:29 2024, mtime=Wed Aug 21 12:19:29 2024, atime=Fri May 12 05:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	575
Entropy (8bit):	5.1514333141017135
Encrypted:	false
SSDEEP:	6:4xtQl3r23CpzeVs+bTcJHUtxXCz8lFUod6tMljAlp4hlIGoJ4D6Vod6Nu3/Wmc8E:8I2ypzYNblthRUobjAyhkotcsBmV
MD5:	40D3E8A910C0565F268932057F54E386
SHA1:	EBBE944DDE299B9B357FBEF6BDD20F7176B3C0BA
SHA-256:	90E66004446E10C5D31A8955509805E176408F47C3AC5B8DF5388A496CEB8B9A
SHA-512:	60C404E8260EDE86CE2AA3EA668386A172535C0A7009993DF3AA71A5E72114A1067ACDDD0C51B5506CA58290E5B8ABA39BD0902FDA471A34F6EB31BFB31C888A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....+.......y.......`.1.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........{4.....................t.2......J.2 .@WANAD~1.EXE..X.......Yoj.Yoj..............................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......X...............-.......W....................C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......284992...........hT..CrF.f4... ..............%..hT..CrF.f4... ..............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.9828343133437905
Encrypted:	false
SSDEEP:	3:gponhvDCKFcsDT6MWlynJ96JS2x9rbPT6MWlynJSK2Fvn:e+hvbGoJgJSoPGoJSK2Fv
MD5:	CF54CCA4CEA475C005EEE306DF7C73D0
SHA1:	1D1A669F4376CBB22A5C5C8D211A352AF84DC95D
SHA-256:	580B3C23A6578CDA3DC3349F3749E935BABC6FA6F2CE9B8DC58D7463C0F618A9
SHA-512:	043F8938BA7CB4F8BBF3E77667E6505271A984578869623102CF8D61A3D9162387DC200F1F8BF97DF5BEE621B0E952DD9F672150777AA18C978E1B95F3B452AE
Malicious:	true
Reputation:	unknown
Preview:	SET ow = WScript.CreateObject("WScript.Shell")..SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")..om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe"..om.Save..

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.1720130280075645
Encrypted:	false
SSDEEP:	192:W4rkVoFz4E/KRCm0B6yZ0hjbeVVMqwq6yx:WdoFz4E/KRCm0B6O0hjiVVMqwq6yx
MD5:	67CE1D0877D38A41722A1E4FBD5FBF9E
SHA1:	48CC49B063E835A6B3764D72BF246F78625E9F0E
SHA-256:	2308559439B4C3D36822A6BDEF1DFEFCAEBB3AC0271557C05CEAC9F49C6A1E25
SHA-512:	CF7B5C2E002279AADDD215691FF1BCA9C66B28EA099DD33792F279568F8F2BFEA3179E99EAACD5BA880E3873AFE5671BBF28D892B37F8FD700355844B06A220B
Malicious:	false
Reputation:	unknown
Preview:	....P...P.......................................P...!...................................Y.GL....................eJ.............Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1................................................................Y............`.............S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.4.0.8.2.1...0.9.1.9.3.7...1.0.2...1...e.t.l.......P.P.........Y.GL....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.995470941164686
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	f_000112
File size:	3'514'368 bytes
MD5:	84c82835a5d21bbcf75a61706d8ab549
SHA1:	5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256:	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512:	90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
TLSH:	73F533F4E221B7ACF2550EF64855C59B6A9724B2EBEF1E26DA8001A70D44F7F8FC0491
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:...T...T...T...X...T..._...T.'.Z...T...^...T...P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L..

Entrypoint:	0x4077ba
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE78F41 [Sat Nov 20 09:05:05 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	68f013d7437aa653a8a98a05807afeb1

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd5a8	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x349fa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x1d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x69b0	0x7000	920e964050a1a5dd60dd00083fd541a2	False	0.5747419084821429	data	6.404235106100747	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x5f70	0x6000	2c42611802d585e6eed68595876d1a15	False	0.5781656901041666	data	6.66357096840794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x1958	0x2000	83506e37bd8b50cacabd480f8eb3849b	False	0.394287109375	Matlab v4 mat-file (little endian) ry, numeric, rows 0, columns 0	4.4557495078691405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0x349fa0	0x34a000	f99ce7dc94308f0a149a19e022e4c316	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
XIA	0x100f0	0x349635	Zip archive data, at least v2.0 to extract, compression method=deflate	English	United States	1.0002689361572266
RT_VERSION	0x359728	0x388	data	English	United States	0.46349557522123896
RT_MANIFEST	0x359ab0	0x4ef	exported SGML document, ASCII text, with CRLF line terminators	English	United States	0.42913697545526525

DLL	Import
KERNEL32.dll	GetFileAttributesW, GetFileSizeEx, CreateFileA, InitializeCriticalSection, DeleteCriticalSection, ReadFile, GetFileSize, WriteFile, LeaveCriticalSection, EnterCriticalSection, SetFileAttributesW, SetCurrentDirectoryW, CreateDirectoryW, GetTempPathW, GetWindowsDirectoryW, GetFileAttributesA, SizeofResource, LockResource, LoadResource, MultiByteToWideChar, Sleep, OpenMutexA, GetFullPathNameA, CopyFileA, GetModuleFileNameA, VirtualAlloc, VirtualFree, FreeLibrary, HeapAlloc, GetProcessHeap, GetModuleHandleA, SetLastError, VirtualProtect, IsBadReadPtr, HeapFree, SystemTimeToFileTime, LocalFileTimeToFileTime, CreateDirectoryA, GetStartupInfoA, SetFilePointer, SetFileTime, GetComputerNameW, GetCurrentDirectoryA, SetCurrentDirectoryA, GlobalAlloc, LoadLibraryA, GetProcAddress, GlobalFree, CreateProcessA, CloseHandle, WaitForSingleObject, TerminateProcess, GetExitCodeProcess, FindResourceA
USER32.dll	wsprintfA
ADVAPI32.dll	CreateServiceA, OpenServiceA, StartServiceA, CloseServiceHandle, CryptReleaseContext, RegCreateKeyW, RegSetValueExA, RegQueryValueExA, RegCloseKey, OpenSCManagerA
MSVCRT.dll	realloc, fclose, fwrite, fread, fopen, sprintf, rand, srand, strcpy, memset, strlen, wcscat, wcslen, __CxxFrameHandler, ??3@YAXPAX@Z, memcmp, _except_handler3, _local_unwind2, wcsrchr, swprintf, ??2@YAPAXI@Z, memcpy, strcmp, strrchr, __p___argv, __p___argc, _stricmp, free, malloc, ??0exception@@QAE@ABV0@@Z, ??1exception@@UAE@XZ, ??0exception@@QAE@ABQBD@Z, _CxxThrowException, calloc, strcat, _mbsstr, ??1type_info@@UAE@XZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2024 15:20:05.697747946 CEST	59301	53	192.168.2.16	162.159.36.2
Aug 21, 2024 15:20:05.713303089 CEST	53	59301	162.159.36.2	192.168.2.16
Aug 21, 2024 15:20:05.713406086 CEST	59301	53	192.168.2.16	162.159.36.2
Aug 21, 2024 15:20:05.713432074 CEST	59301	53	192.168.2.16	162.159.36.2
Aug 21, 2024 15:20:05.946752071 CEST	59301	53	192.168.2.16	162.159.36.2
Aug 21, 2024 15:20:05.951555967 CEST	53	59301	162.159.36.2	192.168.2.16
Aug 21, 2024 15:20:05.952183008 CEST	53	59301	162.159.36.2	192.168.2.16

Target ID:	0
Start time:	09:19:27
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\f_000112.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\f_000112.exe"
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	84C82835A5D21BBCF75A61706D8AB549
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.1182915261.000000000040E000.00000008.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1477873631.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	09:19:29
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	15
Start time:	09:19:30
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	09:19:31
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	09:19:32
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	09:19:33
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	35
Start time:	09:19:34
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	39
Start time:	09:19:35
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	48
Start time:	09:19:36
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report f_000112

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\@Please_Read_Me@.txt

C:\@WanaDecryptor@.exe

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\osver.txt.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\EventStore.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy)

Windows Analysis Report
f_000112

Target ID:	68
Start time:	09:19:39
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	73
Start time:	09:19:40
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	77
Start time:	09:19:41
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	81
Start time:	09:19:42
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	86
Start time:	09:19:43
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	90
Start time:	09:19:44
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	94
Start time:	09:19:45
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	99
Start time:	09:19:46
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	104
Start time:	09:19:47
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	108
Start time:	09:19:48
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x7ff62c440000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true