Analysis Report LgW71SpKzP

Overview

General Information

Sample Name: LgW71SpKzP (renamed file extension from none to exe)
Analysis ID: 284400
MD5: a75cacc856827260166c52093a40f49b
SHA1: f357f2a0bbd1ac95d9f6c4c1396e4ab718441a99
SHA256: 5837daaf4f7cf7280ec0a749e161015c1de39b35fa26710ce7bb22e352725ed4

Most interesting Screenshot:

Detection

Crysis Wadhrama
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Crysis Ransomware
Yara detected Wadhrama Ransomware
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the startup folder
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Writes many files with high entropy
Antivirus or Machine Learning detection for unpacked file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: LgW71SpKzP.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: LgW71SpKzP.exe Virustotal: Detection: 91% Perma Link
Source: LgW71SpKzP.exe Metadefender: Detection: 83% Perma Link
Source: LgW71SpKzP.exe ReversingLabs: Detection: 95%
Machine Learning detection for sample
Source: LgW71SpKzP.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 8.0.LgW71SpKzP.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 9.2.LgW71SpKzP.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 9.0.LgW71SpKzP.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.0.LgW71SpKzP.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 8.2.LgW71SpKzP.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen

Spreading:

barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Renamed to system file: C:\Program Files\Microsoft Office\Office16\1033\GrooveIntlResource.dll Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Renamed to system file: C:\Program Files\Microsoft Office\Office16\GROOVEEX.DLL Jump to behavior
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_00406940 FindFirstFileW, 8_2_00406940

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: LgW71SpKzP.exe, 00000009.00000002.235748518.000000000066A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected Crysis Ransomware
Source: Yara match File source: Process Memory Space: LgW71SpKzP.exe PID: 4612, type: MEMORY
Source: Yara match File source: Process Memory Space: LgW71SpKzP.exe PID: 6828, type: MEMORY
Yara detected Wadhrama Ransomware
Source: Yara match File source: LgW71SpKzP.exe, type: SAMPLE
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED
Source: Yara match File source: 8.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE
Deletes shadow drive data (may be related to ransomware)
Source: unknown Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior
Source: vssadmin.exe, 00000004.00000002.192774982.000001132AB10000.00000002.00000001.sdmp Binary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000004.00000002.192774982.000001132AB10000.00000002.00000001.sdmp Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000004.00000002.192774982.000001132AB10000.00000002.00000001.sdmp Binary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000004.00000002.192774982.000001132AB10000.00000002.00000001.sdmp Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000004.00000002.192774982.000001132AB10000.00000002.00000001.sdmp Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000004.00000002.192749536.000001132AA65000.00000004.00000040.sdmp Binary or memory string: vssadmindeleteshadows/all/quiet
Source: vssadmin.exe, 00000004.00000002.192802343.000001132AB40000.00000004.00000020.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quietvssadmin delete shadows /all /quietWinsta0\Default
Source: vssadmin.exe, 00000004.00000002.192802343.000001132AB40000.00000004.00000020.sdmp Binary or memory string: vssadmin delete shadows /all /quiet
May disable shadow drive data (uses vssadmin)
Source: unknown Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior
Writes many files with high entropy
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Adobe\ARM\S\1742\AdobeARM.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99981423272 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Adobe\ARM\S\11357\AdobeARM.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99979931543 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99950372539 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99954886503 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Adobe\ARM\S\ARM.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99983437119 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9995523743 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\OFFICE\MySite.ico.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99319811111 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99809470926 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99479307902 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99987662861 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99987138696 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Network\Downloader\edb.log.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99984815205 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99985834622 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\OFFICE\DocumentRepository.ico.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99194333102 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9913988361 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99157336887 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99973461115 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99981940799 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99666163156 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99748121349 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99754813451 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99723686057 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99771515018 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99971628353 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99969371742 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99970496656 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\AppxProvisioning.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9905015481 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpuserdb.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99970328424 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99902440387 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00004.jtx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9998098044 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00006.jtx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9998202954 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99115019417 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00001.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9998298497 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00005.jtx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99982206028 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99982116501 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99979451346 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpuser.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99883540226 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99959814012 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99960151622 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99962824112 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99960619498 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\windows.uif_ondemand.xml.inbox.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99984682115 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\customizations.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99975281351 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99951890577 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\customizations.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99657237455 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9976869673 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99710647833 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99709506864 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99740619475 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99973591863 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99975519919 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-2020-07-23.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99322814547 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-latest.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99355204754 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99927918721 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99932112535 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000003.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99940149726 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99972252035 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-75AA7CADA49CCFA36E050EBC1592844DDD43B44E.bin.20.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99939802389 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-75AA7CADA49CCFA36E050EBC1592844DDD43B44E.bin.55.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99963471693 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-75AA7CADA49CCFA36E050EBC1592844DDD43B44E.bin.70.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9996530835 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-75AA7CADA49CCFA36E050EBC1592844DDD43B44E.bin.CE.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9993154179 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99981336804 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99984739435 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9997544593 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-06272019-074918-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9921484463 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99874335845 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99906829053 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99979945788 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99884372898 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99976404915 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99988923864 Jump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: LgW71SpKzP.exe, type: SAMPLE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 8.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 9.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 0.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 8.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 9.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Creates files inside the system directory
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Windows\System32\LgW71SpKzP.exe Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_004034C0 8_2_004034C0
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_00403AE0 8_2_00403AE0
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_00405F30 8_2_00405F30
Yara signature match
Source: LgW71SpKzP.exe, type: SAMPLE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 8.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 9.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 0.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 8.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 9.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: LgW71SpKzP.exe Static PE information: Section: .data ZLIB complexity 0.99158296131
Source: LgW71SpKzP.exe.0.dr Static PE information: Section: .data ZLIB complexity 0.99158296131
Source: LgW71SpKzP.exe0.0.dr Static PE information: Section: .data ZLIB complexity 0.99158296131
Source: LgW71SpKzP.exe1.0.dr Static PE information: Section: .data ZLIB complexity 0.99158296131
Source: LgW71SpKzP.exe, 00000000.00000003.187902335.0000000000789000.00000004.00000001.sdmp Binary or memory string: r;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;
Source: LgW71SpKzP.exe, 00000000.00000003.284107304.0000000000789000.00000004.00000001.sdmp Binary or memory string: ;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;
Source: LgW71SpKzP.exe, 00000000.00000003.345996690.0000000000789000.00000004.00000001.sdmp Binary or memory string: u;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;
Source: LgW71SpKzP.exe, 00000000.00000003.284107304.0000000000789000.00000004.00000001.sdmp Binary or memory string: .slnl
Source: LgW71SpKzP.exe, 00000000.00000003.186204549.000000000078C000.00000004.00000001.sdmp Binary or memory string: 4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;
Source: classification engine Classification label: mal100.rans.spre.adwa.evad.winEXE@11/1025@0/0
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_00406A00 CreateToolhelp32Snapshot, 8_2_00406A00
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exe Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\syncronize_38R306U
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\syncronize_38R306A
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\Temp\WER12C8.tmp.WERInternalMetadata.xml.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: LgW71SpKzP.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LgW71SpKzP.exe Virustotal: Detection: 91%
Source: LgW71SpKzP.exe Metadefender: Detection: 83%
Source: LgW71SpKzP.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File read: C:\Users\user\Desktop\LgW71SpKzP.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LgW71SpKzP.exe 'C:\Users\user\Desktop\LgW71SpKzP.exe'
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\mode.com mode con cp select=1251
Source: unknown Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknown Process created: C:\Windows\System32\LgW71SpKzP.exe 'C:\Windows\System32\LgW71SpKzP.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exe'
Source: unknown Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode con cp select=1251 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior
Source: C:\Windows\System32\vssadmin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32 Jump to behavior
Source: LgW71SpKzP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\crysis\Release\PDB\payload.pdb source: LgW71SpKzP.exe
Source: Binary string: C:\crysis\Release\PDB\payload.pdb- source: LgW71SpKzP.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_004065E0 LoadLibraryA,GetProcAddress, 8_2_004065E0

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\System32\LgW71SpKzP.exe
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Renamed to system file: C:\Program Files\Microsoft Office\Office16\1033\GrooveIntlResource.dll Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Renamed to system file: C:\Program Files\Microsoft Office\Office16\GROOVEEX.DLL Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exe Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\68__Connections.provxml.id-E1DA14A2.[btckeys@aol.com].2020 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Windows\System32\LgW71SpKzP.exe Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\68__Connections.provxml.id-E1DA14A2.[btckeys@aol.com].2020 Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Windows\System32\LgW71SpKzP.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\68__Connections.provxml.id-E1DA14A2.[btckeys@aol.com].2020 Jump to dropped file

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LgW71SpKzP.exe Jump to behavior
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exe Jump to dropped file
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exe Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exe Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\05 - Music.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\07 - Videos.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\09 - Network.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Quick Assist.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Help File.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Check For Updates.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Examples.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x64).lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x86).lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\01 - File Explorer.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\03 - Documents.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\04 - Downloads.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\06 - Pictures.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\08 - Homegroup.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\10 - UserProfile.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Speech Recognition.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Character Map.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Media Player.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Component Services.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Event Viewer.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Computer Management.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Print Management.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Configuration.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Information.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x64).lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x86).lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\AutoItX Help File.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\VBScript Examples.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\SciTE Script Editor.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (32-bit).lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (64-bit).lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Office 2016 Language Preferences.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Database Compare 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Office 2016 Upload Center.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Spreadsheet Compare 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Telemetry Log for Office 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LgW71SpKzP.exe Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LgW71SpKzP.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in the recycle bin to hide itself
Source: C:\Users\user\Desktop\LgW71SpKzP.exe File created: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020 Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_004053B0 rdtsc 8_2_004053B0
Contains functionality to enumerate running services
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: EnumServicesStatusExW, 8_2_00406AF0
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\68__Connections.provxml.id-E1DA14A2.[btckeys@aol.com].2020 Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LgW71SpKzP.exe TID: 6240 Thread sleep count: 102 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe TID: 3356 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_00406940 FindFirstFileW, 8_2_00406940
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_004053B0 rdtsc 8_2_004053B0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_004065E0 LoadLibraryA,GetProcAddress, 8_2_004065E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_00406950 GetProcessHeap, 8_2_00406950

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode con cp select=1251 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LgW71SpKzP.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\LgW71SpKzP.exe Code function: 8_2_004068A0 GetVersion, 8_2_004068A0