Analysis Report MEO2x2MUfC

Overview

General Information

Sample Name: MEO2x2MUfC (renamed file extension from none to exe)
Analysis ID: 284404
MD5: 37c1ee5708d1f5e45cea516059fd12f8
SHA1: d9102824ed07a4c29bd364fd0f4e08df1f5dc1d9
SHA256: 90c54543aaf085e00879d4fe98a6dfb8148548f374828d50b6e3ac44668138b2

Most interesting Screenshot:

Detection

Crysis Wadhrama
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Crysis Ransomware
Yara detected Wadhrama Ransomware
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the startup folder
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Writes many files with high entropy
Antivirus or Machine Learning detection for unpacked file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: MEO2x2MUfC.exe Avira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe Avira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for submitted file
Source: MEO2x2MUfC.exe Virustotal: Detection: 79% Perma Link
Source: MEO2x2MUfC.exe ReversingLabs: Detection: 95%
Machine Learning detection for dropped file
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: MEO2x2MUfC.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.0.MEO2x2MUfC.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 9.2.MEO2x2MUfC.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.0.MEO2x2MUfC.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 11.2.MEO2x2MUfC.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 9.0.MEO2x2MUfC.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_00406940 FindFirstFileW, 9_2_00406940

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: MEO2x2MUfC.exe, 00000009.00000002.240543299.000000000077B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected Crysis Ransomware
Source: Yara match File source: Process Memory Space: MEO2x2MUfC.exe PID: 2856, type: MEMORY
Yara detected Wadhrama Ransomware
Source: Yara match File source: MEO2x2MUfC.exe, type: SAMPLE
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED
Source: Yara match File source: 0.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE
Deletes shadow drive data (may be related to ransomware)
Source: unknown Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior
Source: vssadmin.exe, 00000006.00000002.225336120.000002171BAA0000.00000002.00000001.sdmp Binary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000006.00000002.225336120.000002171BAA0000.00000002.00000001.sdmp Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000006.00000002.225336120.000002171BAA0000.00000002.00000001.sdmp Binary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000006.00000002.225336120.000002171BAA0000.00000002.00000001.sdmp Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000006.00000002.225336120.000002171BAA0000.00000002.00000001.sdmp Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000006.00000002.225470669.000002171BD85000.00000004.00000040.sdmp Binary or memory string: vssadmindeleteshadows/all/quiet
Source: vssadmin.exe, 00000006.00000002.225363342.000002171BAB0000.00000004.00000020.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quietvssadmin delete shadows /all /quietWinsta0\Default
Source: vssadmin.exe, 00000006.00000002.225363342.000002171BAB0000.00000004.00000020.sdmp Binary or memory string: vssadmin delete shadows /all /quiet
May disable shadow drive data (uses vssadmin)
Source: unknown Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior
Writes many files with high entropy
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99960506768 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\OFFICE\MySite.ico.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99236208785 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99986648454 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99987152989 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9998310199 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Network\Downloader\edb.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99986979089 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99979400686 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\OFFICE\DocumentRepository.ico.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.992196215 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99816702721 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99173295714 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99301360068 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99711712992 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9972037149 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99967523921 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99971604381 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99538197656 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99716593358 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99897180197 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99982057311 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00007.jtx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99983708609 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00001.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99980556844 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00008.jtx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9998365594 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00009.jtx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99981699198 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9998122238 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99979826859 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99668549475 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99731707239 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99974106615 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db-shm.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99419402904 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-20190627-074759.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99866181275 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\windows.uif_ondemand.xml.inbox.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99981147832 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime.xml.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99959882031 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99965532975 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99967769952 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99971568187 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99955611406 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99970860415 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.999571491 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\customizations.xml.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99975453582 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\customizations.xml.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99661442987 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99945175703 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000003.db.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99942506119 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99967369771 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190627-012343-00000003-ffffffff.bin.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99441139367 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190627-074759-00000003-ffffffff.bin.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99507994413 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9969577386 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99695689457 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99861037552 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99849005529 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-06272019-074918-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99138003172 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-07232020-100039-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99261106622 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99982792821 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99986690584 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99982090425 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99976594005 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99975028041 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99988131112 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99905725178 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99866978017 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9990619488 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99890672347 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99877599605 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99863007865 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99873136945 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99886193135 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99859886281 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99893956155 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99893277998 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99860739304 Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99839246495 Jump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: MEO2x2MUfC.exe, type: SAMPLE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 0.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 11.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 9.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 9.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 11.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Creates files inside the system directory
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Windows\System32\MEO2x2MUfC.exe Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_004034C0 9_2_004034C0
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_00403AE0 9_2_00403AE0
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_00405F30 9_2_00405F30
Yara signature match
Source: MEO2x2MUfC.exe, type: SAMPLE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 0.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 11.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 9.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 9.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 11.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: MEO2x2MUfC.exe Static PE information: Section: .data ZLIB complexity 0.991443452381
Source: MEO2x2MUfC.exe.0.dr Static PE information: Section: .data ZLIB complexity 0.991443452381
Source: MEO2x2MUfC.exe0.0.dr Static PE information: Section: .data ZLIB complexity 0.991443452381
Source: MEO2x2MUfC.exe1.0.dr Static PE information: Section: .data ZLIB complexity 0.991443452381
Source: MEO2x2MUfC.exe, 00000000.00000003.435975543.0000000004050000.00000004.00000001.sdmp Binary or memory string: .slk;.sln;.sql;.sr2;.srf;.srw;.sp
Source: classification engine Classification label: mal100.rans.adwa.evad.winEXE@11/1025@0/0
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_00406A00 CreateToolhelp32Snapshot, 9_2_00406A00
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_01
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\syncronize_R10T60A
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\syncronize_R10T60U
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\Temp\WER5E69.tmp.WERInternalMetadata.xml.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: MEO2x2MUfC.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File read: C:\$Recycle.Bin\S-1-5-18\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MEO2x2MUfC.exe Virustotal: Detection: 79%
Source: MEO2x2MUfC.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File read: C:\Users\user\Desktop\MEO2x2MUfC.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\MEO2x2MUfC.exe 'C:\Users\user\Desktop\MEO2x2MUfC.exe'
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\mode.com mode con cp select=1251
Source: unknown Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknown Process created: C:\Windows\System32\MEO2x2MUfC.exe 'C:\Windows\System32\MEO2x2MUfC.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe'
Source: unknown Process created: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe 'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe' -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode con cp select=1251 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior
Source: C:\Windows\System32\vssadmin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32 Jump to behavior
Source: MEO2x2MUfC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\crysis\Release\PDB\payload.pdb source: MEO2x2MUfC.exe
Source: Binary string: C:\crysis\Release\PDB\payload.pdb' source: MEO2x2MUfC.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_004065E0 LoadLibraryA,GetProcAddress, 9_2_004065E0

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\System32\MEO2x2MUfC.exe
Drops PE files
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Windows\System32\MEO2x2MUfC.exe Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Windows\System32\MEO2x2MUfC.exe Jump to dropped file

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MEO2x2MUfC.exe Jump to behavior
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe Jump to dropped file
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Examples.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\03 - Documents.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\04 - Downloads.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\01 - File Explorer.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\05 - Music.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\06 - Pictures.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\07 - Videos.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\08 - Homegroup.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\09 - Network.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\10 - UserProfile.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Quick Assist.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Speech Recognition.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Media Player.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Event Viewer.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Print Management.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Help File.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Check For Updates.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x64).lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x86).lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\SciTE Script Editor.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Character Map.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Component Services.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Computer Management.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (64-bit).lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (32-bit).lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Configuration.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Information.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x64).lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x86).lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\AutoItX Help File.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\VBScript Examples.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Database Compare 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Office 2016 Upload Center.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Spreadsheet Compare 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Office 2016 Language Preferences.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Windows Defender Firewall with Advanced Security.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Skype for Business Recording Manager.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Telemetry Dashboard for Office 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Telemetry Log for Office 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MEO2x2MUfC.exe Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MEO2x2MUfC.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in the recycle bin to hide itself
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe File created: C:\$Recycle.Bin\S-1-5-18\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].error Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_004053B0 rdtsc 9_2_004053B0
Contains functionality to enumerate running services
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: EnumServicesStatusExW, 9_2_00406AF0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe TID: 6580 Thread sleep count: 70 > 30 Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe TID: 6556 Thread sleep count: 47 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Last function: Thread delayed
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_00406940 FindFirstFileW, 9_2_00406940
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_004053B0 rdtsc 9_2_004053B0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_004065E0 LoadLibraryA,GetProcAddress, 9_2_004065E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_00406950 GetProcessHeap, 9_2_00406950

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode con cp select=1251 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MEO2x2MUfC.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\MEO2x2MUfC.exe Code function: 9_2_004068A0 GetVersion, 9_2_004068A0