Loading ...

Play interactive tourEdit tour

Analysis Report LgW71SpKzP

Overview

General Information

Sample Name:LgW71SpKzP (renamed file extension from none to exe)
Analysis ID:284400
MD5:a75cacc856827260166c52093a40f49b
SHA1:f357f2a0bbd1ac95d9f6c4c1396e4ab718441a99
SHA256:5837daaf4f7cf7280ec0a749e161015c1de39b35fa26710ce7bb22e352725ed4

Most interesting Screenshot:

Detection

Crysis Wadhrama
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Crysis Ransomware
Yara detected Wadhrama Ransomware
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the startup folder
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Writes many files with high entropy
Antivirus or Machine Learning detection for unpacked file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Yara signature match

Classification

Startup

  • System is w10x64
  • LgW71SpKzP.exe (PID: 4612 cmdline: 'C:\Users\user\Desktop\LgW71SpKzP.exe' MD5: A75CACC856827260166C52093A40F49B)
    • cmd.exe (PID: 4716 cmdline: C:\Windows\system32\cmd.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • mode.com (PID: 6632 cmdline: mode con cp select=1251 MD5: 1A3D2D975EB4A5AF22768F1E23C9A83C)
      • vssadmin.exe (PID: 4320 cmdline: vssadmin delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
  • LgW71SpKzP.exe (PID: 6216 cmdline: 'C:\Windows\System32\LgW71SpKzP.exe' MD5: A75CACC856827260166C52093A40F49B)
  • LgW71SpKzP.exe (PID: 6828 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exe' MD5: A75CACC856827260166C52093A40F49B)
  • OpenWith.exe (PID: 2024 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
LgW71SpKzP.exeMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
    LgW71SpKzP.exeJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exeMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exeJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security
          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exeMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exeJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security
              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exeMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
                Click to see the 1 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                Process Memory Space: LgW71SpKzP.exe PID: 4612JoeSecurity_CrysisYara detected Crysis RansomwareJoe Security
                  Process Memory Space: LgW71SpKzP.exe PID: 6828JoeSecurity_CrysisYara detected Crysis RansomwareJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    8.0.LgW71SpKzP.exe.400000.0.unpackMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
                      8.0.LgW71SpKzP.exe.400000.0.unpackJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security
                        9.0.LgW71SpKzP.exe.400000.0.unpackMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
                          9.0.LgW71SpKzP.exe.400000.0.unpackJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security
                            0.0.LgW71SpKzP.exe.400000.0.unpackMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
                              Click to see the 5 entries

                              Sigma Overview

                              No Sigma rule has matched

                              Signature Overview

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection:

                              barindex
                              Antivirus / Scanner detection for submitted sampleShow sources
                              Source: LgW71SpKzP.exeAvira: detected
                              Multi AV Scanner detection for submitted fileShow sources
                              Source: LgW71SpKzP.exeVirustotal: Detection: 91%Perma Link
                              Source: LgW71SpKzP.exeMetadefender: Detection: 83%Perma Link
                              Source: LgW71SpKzP.exeReversingLabs: Detection: 95%
                              Machine Learning detection for sampleShow sources
                              Source: LgW71SpKzP.exeJoe Sandbox ML: detected
                              Source: 8.0.LgW71SpKzP.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                              Source: 9.2.LgW71SpKzP.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                              Source: 9.0.LgW71SpKzP.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                              Source: 0.0.LgW71SpKzP.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                              Source: 8.2.LgW71SpKzP.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

                              Spreading:

                              barindex
                              Infects executable files (exe, dll, sys, html)Show sources
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeRenamed to system file: C:\Program Files\Microsoft Office\Office16\1033\GrooveIntlResource.dllJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeRenamed to system file: C:\Program Files\Microsoft Office\Office16\GROOVEEX.DLLJump to behavior
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_00406940 FindFirstFileW,8_2_00406940
                              Source: LgW71SpKzP.exe, 00000009.00000002.235748518.000000000066A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                              Spam, unwanted Advertisements and Ransom Demands:

                              barindex
                              Yara detected Crysis RansomwareShow sources
                              Source: Yara matchFile source: Process Memory Space: LgW71SpKzP.exe PID: 4612, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: LgW71SpKzP.exe PID: 6828, type: MEMORY
                              Yara detected Wadhrama RansomwareShow sources
                              Source: Yara matchFile source: LgW71SpKzP.exe, type: SAMPLE
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPED
                              Source: Yara matchFile source: 8.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 9.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 8.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 9.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPE
                              Deletes shadow drive data (may be related to ransomware)Show sources
                              Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
                              Source: vssadmin.exe, 00000004.00000002.192774982.000001132AB10000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
                              Source: vssadmin.exe, 00000004.00000002.192774982.000001132AB10000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
                              Source: vssadmin.exe, 00000004.00000002.192774982.000001132AB10000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
                              Source: vssadmin.exe, 00000004.00000002.192774982.000001132AB10000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
                              Source: vssadmin.exe, 00000004.00000002.192774982.000001132AB10000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
                              Source: vssadmin.exe, 00000004.00000002.192749536.000001132AA65000.00000004.00000040.sdmpBinary or memory string: vssadmindeleteshadows/all/quiet
                              Source: vssadmin.exe, 00000004.00000002.192802343.000001132AB40000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quietvssadmin delete shadows /all /quietWinsta0\Default
                              Source: vssadmin.exe, 00000004.00000002.192802343.000001132AB40000.00000004.00000020.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
                              May disable shadow drive data (uses vssadmin)Show sources
                              Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
                              Writes many files with high entropyShow sources
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Adobe\ARM\S\1742\AdobeARM.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99981423272Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Adobe\ARM\S\11357\AdobeARM.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99979931543Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99950372539Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99954886503Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Adobe\ARM\S\ARM.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99983437119Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9995523743Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\OFFICE\MySite.ico.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99319811111Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99809470926Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99479307902Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99987662861Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99987138696Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edb.log.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99984815205Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99985834622Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\OFFICE\DocumentRepository.ico.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99194333102Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9913988361Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99157336887Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99973461115Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99981940799Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99666163156Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99748121349Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99754813451Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99723686057Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99771515018Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99971628353Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99969371742Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99970496656Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\AppxProvisioning.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9905015481Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpuserdb.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99970328424Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99902440387Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00004.jtx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9998098044Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00006.jtx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9998202954Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99115019417Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00001.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9998298497Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00005.jtx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99982206028Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99982116501Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99979451346Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpuser.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99883540226Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99959814012Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99960151622Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99962824112Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99960619498Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\windows.uif_ondemand.xml.inbox.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99984682115Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\customizations.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99975281351Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99951890577Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\customizations.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99657237455Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9976869673Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99710647833Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99709506864Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99740619475Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99973591863Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99975519919Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-2020-07-23.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99322814547Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-latest.xml.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99355204754Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99927918721Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99932112535Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000003.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99940149726Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99972252035Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-75AA7CADA49CCFA36E050EBC1592844DDD43B44E.bin.20.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99939802389Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-75AA7CADA49CCFA36E050EBC1592844DDD43B44E.bin.55.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99963471693Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-75AA7CADA49CCFA36E050EBC1592844DDD43B44E.bin.70.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9996530835Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-75AA7CADA49CCFA36E050EBC1592844DDD43B44E.bin.CE.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9993154179Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99981336804Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99984739435Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9997544593Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-06272019-074918-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.9921484463Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99874335845Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99906829053Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99979945788Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99884372898Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99976404915Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab.id-E1DA14A2.[btckeys@aol.com].2020 entropy: 7.99988923864Jump to dropped file

                              System Summary:

                              barindex
                              Malicious sample detected (through community Yara rule)Show sources
                              Source: LgW71SpKzP.exe, type: SAMPLEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                              Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPEDMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                              Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPEDMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                              Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPEDMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                              Source: 8.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                              Source: 9.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                              Source: 0.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                              Source: 8.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                              Source: 9.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Windows\System32\LgW71SpKzP.exeJump to behavior
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_004034C08_2_004034C0
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_00403AE08_2_00403AE0
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_00405F308_2_00405F30
                              Source: LgW71SpKzP.exe, type: SAMPLEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                              Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPEDMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                              Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPEDMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                              Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exe, type: DROPPEDMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                              Source: 8.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                              Source: 9.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                              Source: 0.0.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                              Source: 8.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                              Source: 9.2.LgW71SpKzP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                              Source: LgW71SpKzP.exeStatic PE information: Section: .data ZLIB complexity 0.99158296131
                              Source: LgW71SpKzP.exe.0.drStatic PE information: Section: .data ZLIB complexity 0.99158296131
                              Source: LgW71SpKzP.exe0.0.drStatic PE information: Section: .data ZLIB complexity 0.99158296131
                              Source: LgW71SpKzP.exe1.0.drStatic PE information: Section: .data ZLIB complexity 0.99158296131
                              Source: LgW71SpKzP.exe, 00000000.00000003.187902335.0000000000789000.00000004.00000001.sdmpBinary or memory string: r;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;
                              Source: LgW71SpKzP.exe, 00000000.00000003.284107304.0000000000789000.00000004.00000001.sdmpBinary or memory string: ;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;
                              Source: LgW71SpKzP.exe, 00000000.00000003.345996690.0000000000789000.00000004.00000001.sdmpBinary or memory string: u;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;
                              Source: LgW71SpKzP.exe, 00000000.00000003.284107304.0000000000789000.00000004.00000001.sdmpBinary or memory string: .slnl
                              Source: LgW71SpKzP.exe, 00000000.00000003.186204549.000000000078C000.00000004.00000001.sdmpBinary or memory string: 4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;
                              Source: classification engineClassification label: mal100.rans.spre.adwa.evad.winEXE@11/1025@0/0
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_00406A00 CreateToolhelp32Snapshot,8_2_00406A00
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exeJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeMutant created: \Sessions\1\BaseNamedObjects\Global\syncronize_38R306U
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeMutant created: \Sessions\1\BaseNamedObjects\Global\syncronize_38R306A
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\Temp\WER12C8.tmp.WERInternalMetadata.xml.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: LgW71SpKzP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: LgW71SpKzP.exeVirustotal: Detection: 91%
                              Source: LgW71SpKzP.exeMetadefender: Detection: 83%
                              Source: LgW71SpKzP.exeReversingLabs: Detection: 95%
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile read: C:\Users\user\Desktop\LgW71SpKzP.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\LgW71SpKzP.exe 'C:\Users\user\Desktop\LgW71SpKzP.exe'
                              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
                              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Windows\System32\mode.com mode con cp select=1251
                              Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                              Source: unknownProcess created: C:\Windows\System32\LgW71SpKzP.exe 'C:\Windows\System32\LgW71SpKzP.exe'
                              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exe'
                              Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con cp select=1251Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
                              Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
                              Source: LgW71SpKzP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: Binary string: C:\crysis\Release\PDB\payload.pdb source: LgW71SpKzP.exe
                              Source: Binary string: C:\crysis\Release\PDB\payload.pdb- source: LgW71SpKzP.exe
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_004065E0 LoadLibraryA,GetProcAddress,8_2_004065E0

                              Persistence and Installation Behavior:

                              barindex
                              Drops executables to the windows directory (C:\Windows) and starts themShow sources
                              Source: unknownExecutable created and started: C:\Windows\System32\LgW71SpKzP.exe
                              Infects executable files (exe, dll, sys, html)Show sources
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeRenamed to system file: C:\Program Files\Microsoft Office\Office16\1033\GrooveIntlResource.dllJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeRenamed to system file: C:\Program Files\Microsoft Office\Office16\GROOVEEX.DLLJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exeJump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\68__Connections.provxml.id-E1DA14A2.[btckeys@aol.com].2020Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Windows\System32\LgW71SpKzP.exeJump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exeJump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\68__Connections.provxml.id-E1DA14A2.[btckeys@aol.com].2020Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exeJump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Windows\System32\LgW71SpKzP.exeJump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\68__Connections.provxml.id-E1DA14A2.[btckeys@aol.com].2020Jump to dropped file

                              Boot Survival:

                              barindex
                              Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LgW71SpKzP.exeJump to behavior
                              Drops PE files to the startup folderShow sources
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exeJump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LgW71SpKzP.exeJump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exeJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exeJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LgW71SpKzP.exeJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\05 - Music.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\07 - Videos.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\09 - Network.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Quick Assist.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Help File.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Check For Updates.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Examples.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x64).lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x86).lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\01 - File Explorer.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\03 - Documents.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\04 - Downloads.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\06 - Pictures.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\08 - Homegroup.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\10 - UserProfile.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Speech Recognition.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Character Map.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Media Player.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Component Services.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Event Viewer.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Computer Management.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Print Management.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Configuration.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Information.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x64).lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x86).lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\AutoItX Help File.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\VBScript Examples.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\SciTE Script Editor.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (32-bit).lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (64-bit).lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Office 2016 Language Preferences.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Database Compare 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Office 2016 Upload Center.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Spreadsheet Compare 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Telemetry Log for Office 2016.lnk.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LgW71SpKzP.exeJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LgW71SpKzP.exeJump to behavior

                              Hooking and other Techniques for Hiding and Protection:

                              barindex
                              Creates files in the recycle bin to hide itselfShow sources
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeFile created: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1001\desktop.ini.id-E1DA14A2.[btckeys@aol.com].2020Jump to behavior
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_004053B0 rdtsc 8_2_004053B0
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: EnumServicesStatusExW,8_2_00406AF0
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\68__Connections.provxml.id-E1DA14A2.[btckeys@aol.com].2020Jump to dropped file
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exe TID: 6240Thread sleep count: 102 > 30Jump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exe TID: 3356Thread sleep count: 53 > 30Jump to behavior
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_00406940 FindFirstFileW,8_2_00406940
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_004053B0 rdtsc 8_2_004053B0
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_004065E0 LoadLibraryA,GetProcAddress,8_2_004065E0
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_00406950 GetProcessHeap,8_2_00406950
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con cp select=1251Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\LgW71SpKzP.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\LgW71SpKzP.exeCode function: 8_2_004068A0 GetVersion,8_2_004068A0

                              Mitre Att&ck Matrix

                              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                              Valid AccountsNative API1Startup Items1Startup Items1Masquerading131Input Capture1Security Software Discovery2Taint Shared Content1Input Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                              Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder221Process Injection11Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                              Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder221Process Injection11Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSSystem Service Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                              Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language