Loading ...

Play interactive tourEdit tour

Analysis Report MEO2x2MUfC

Overview

General Information

Sample Name:MEO2x2MUfC (renamed file extension from none to exe)
Analysis ID:284404
MD5:37c1ee5708d1f5e45cea516059fd12f8
SHA1:d9102824ed07a4c29bd364fd0f4e08df1f5dc1d9
SHA256:90c54543aaf085e00879d4fe98a6dfb8148548f374828d50b6e3ac44668138b2

Most interesting Screenshot:

Detection

Crysis Wadhrama
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Crysis Ransomware
Yara detected Wadhrama Ransomware
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the startup folder
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Writes many files with high entropy
Antivirus or Machine Learning detection for unpacked file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Yara signature match

Classification

Startup

  • System is w10x64
  • MEO2x2MUfC.exe (PID: 6520 cmdline: 'C:\Users\user\Desktop\MEO2x2MUfC.exe' MD5: 37C1EE5708D1F5E45CEA516059FD12F8)
    • cmd.exe (PID: 6544 cmdline: C:\Windows\system32\cmd.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • mode.com (PID: 6716 cmdline: mode con cp select=1251 MD5: 1A3D2D975EB4A5AF22768F1E23C9A83C)
      • vssadmin.exe (PID: 6884 cmdline: vssadmin delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
  • MEO2x2MUfC.exe (PID: 7096 cmdline: 'C:\Windows\System32\MEO2x2MUfC.exe' MD5: 37C1EE5708D1F5E45CEA516059FD12F8)
  • MEO2x2MUfC.exe (PID: 2856 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe' MD5: 37C1EE5708D1F5E45CEA516059FD12F8)
  • SearchUI.exe (PID: 6528 cmdline: 'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe' -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca MD5: C4A9ACE9CDB9E5DB7CBA996CFA9EA7A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
MEO2x2MUfC.exeMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
    MEO2x2MUfC.exeJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exeMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exeJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security
          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exeMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exeJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security
              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exeMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
                Click to see the 1 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                Process Memory Space: MEO2x2MUfC.exe PID: 2856JoeSecurity_CrysisYara detected Crysis RansomwareJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.MEO2x2MUfC.exe.400000.0.unpackMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
                    0.0.MEO2x2MUfC.exe.400000.0.unpackJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security
                      11.2.MEO2x2MUfC.exe.400000.0.unpackMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
                        11.2.MEO2x2MUfC.exe.400000.0.unpackJoeSecurity_WadhramaYara detected Wadhrama RansomwareJoe Security
                          9.2.MEO2x2MUfC.exe.400000.0.unpackMAL_Ransomware_WadhramaDetects Wadhrama Ransomware via ImphashFlorian Roth
                            Click to see the 5 entries

                            Sigma Overview

                            No Sigma rule has matched

                            Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection:

                            barindex
                            Antivirus / Scanner detection for submitted sampleShow sources
                            Source: MEO2x2MUfC.exeAvira: detected
                            Antivirus detection for dropped fileShow sources
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exeAvira: detection malicious, Label: TR/Dropper.Gen
                            Multi AV Scanner detection for submitted fileShow sources
                            Source: MEO2x2MUfC.exeVirustotal: Detection: 79%Perma Link
                            Source: MEO2x2MUfC.exeReversingLabs: Detection: 95%
                            Machine Learning detection for dropped fileShow sources
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exeJoe Sandbox ML: detected
                            Machine Learning detection for sampleShow sources
                            Source: MEO2x2MUfC.exeJoe Sandbox ML: detected
                            Source: 11.0.MEO2x2MUfC.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 9.2.MEO2x2MUfC.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 0.0.MEO2x2MUfC.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 11.2.MEO2x2MUfC.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: 9.0.MEO2x2MUfC.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_00406940 FindFirstFileW,
                            Source: MEO2x2MUfC.exe, 00000009.00000002.240543299.000000000077B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                            Spam, unwanted Advertisements and Ransom Demands:

                            barindex
                            Yara detected Crysis RansomwareShow sources
                            Source: Yara matchFile source: Process Memory Space: MEO2x2MUfC.exe PID: 2856, type: MEMORY
                            Yara detected Wadhrama RansomwareShow sources
                            Source: Yara matchFile source: MEO2x2MUfC.exe, type: SAMPLE
                            Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPED
                            Source: Yara matchFile source: 0.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPE
                            Deletes shadow drive data (may be related to ransomware)Show sources
                            Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                            Source: vssadmin.exe, 00000006.00000002.225336120.000002171BAA0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
                            Source: vssadmin.exe, 00000006.00000002.225336120.000002171BAA0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
                            Source: vssadmin.exe, 00000006.00000002.225336120.000002171BAA0000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
                            Source: vssadmin.exe, 00000006.00000002.225336120.000002171BAA0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
                            Source: vssadmin.exe, 00000006.00000002.225336120.000002171BAA0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
                            Source: vssadmin.exe, 00000006.00000002.225470669.000002171BD85000.00000004.00000040.sdmpBinary or memory string: vssadmindeleteshadows/all/quiet
                            Source: vssadmin.exe, 00000006.00000002.225363342.000002171BAB0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quietvssadmin delete shadows /all /quietWinsta0\Default
                            Source: vssadmin.exe, 00000006.00000002.225363342.000002171BAB0000.00000004.00000020.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
                            May disable shadow drive data (uses vssadmin)Show sources
                            Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                            Writes many files with high entropyShow sources
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99960506768Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\OFFICE\MySite.ico.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99236208785Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99986648454Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99987152989Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9998310199Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edb.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99986979089Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99979400686Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\OFFICE\DocumentRepository.ico.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.992196215Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99816702721Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99173295714Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99301360068Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99711712992
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9972037149
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99967523921
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99971604381
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99538197656
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99716593358
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99897180197
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99982057311
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00007.jtx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99983708609
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00001.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99980556844
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00008.jtx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9998365594
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00009.jtx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99981699198
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9998122238
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99979826859
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99668549475
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99731707239
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99974106615
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db-shm.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99419402904
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-20190627-074759.log.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99866181275
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\windows.uif_ondemand.xml.inbox.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99981147832Jump to dropped file
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime.xml.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99959882031
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99965532975
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99967769952
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99971568187
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99955611406
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99970860415
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.999571491
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\customizations.xml.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99975453582
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\customizations.xml.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99661442987
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99945175703
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000003.db.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99942506119
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99967369771
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190627-012343-00000003-ffffffff.bin.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99441139367
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190627-074759-00000003-ffffffff.bin.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99507994413
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9969577386
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99695689457
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99861037552
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99849005529
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-06272019-074918-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99138003172
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\SHS-07232020-100039-7-5f-17134.1.amd64fre.rs4_release.180410-1804.etl.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99261106622
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99982792821
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99986690584
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99982090425
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99976594005
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99975028041
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99988131112
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99905725178
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99866978017
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{19F7E289-17B8-44EC-A099-927507B6F739}v14.21.27702\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.9990619488
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{213668DB-2263-4E2D-ABB8-487FD539130E}v14.21.27702\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99890672347
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99877599605
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99863007865
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99873136945
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99886193135
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99859886281
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99893956155
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99893277998
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99860739304
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml.id-88D1F6DF.[datahelp@techmail.info].error entropy: 7.99839246495

                            System Summary:

                            barindex
                            Malicious sample detected (through community Yara rule)Show sources
                            Source: MEO2x2MUfC.exe, type: SAMPLEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPEDMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPEDMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPEDMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                            Source: 0.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                            Source: 11.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                            Source: 9.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                            Source: 9.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                            Source: 11.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Windows\System32\MEO2x2MUfC.exeJump to behavior
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_004034C0
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_00403AE0
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_00405F30
                            Source: MEO2x2MUfC.exe, type: SAMPLEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPEDMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPEDMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe, type: DROPPEDMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                            Source: 0.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                            Source: 11.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                            Source: 9.2.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                            Source: 9.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                            Source: 11.0.MEO2x2MUfC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
                            Source: MEO2x2MUfC.exeStatic PE information: Section: .data ZLIB complexity 0.991443452381
                            Source: MEO2x2MUfC.exe.0.drStatic PE information: Section: .data ZLIB complexity 0.991443452381
                            Source: MEO2x2MUfC.exe0.0.drStatic PE information: Section: .data ZLIB complexity 0.991443452381
                            Source: MEO2x2MUfC.exe1.0.drStatic PE information: Section: .data ZLIB complexity 0.991443452381
                            Source: MEO2x2MUfC.exe, 00000000.00000003.435975543.0000000004050000.00000004.00000001.sdmpBinary or memory string: .slk;.sln;.sql;.sr2;.srf;.srw;.sp
                            Source: classification engineClassification label: mal100.rans.adwa.evad.winEXE@11/1025@0/0
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_00406A00 CreateToolhelp32Snapshot,
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exeJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_01
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\syncronize_R10T60A
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\syncronize_R10T60U
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WER\Temp\WER5E69.tmp.WERInternalMetadata.xml.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: MEO2x2MUfC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile read: C:\$Recycle.Bin\S-1-5-18\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: MEO2x2MUfC.exeVirustotal: Detection: 79%
                            Source: MEO2x2MUfC.exeReversingLabs: Detection: 95%
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile read: C:\Users\user\Desktop\MEO2x2MUfC.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\MEO2x2MUfC.exe 'C:\Users\user\Desktop\MEO2x2MUfC.exe'
                            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
                            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Windows\System32\mode.com mode con cp select=1251
                            Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                            Source: unknownProcess created: C:\Windows\System32\MEO2x2MUfC.exe 'C:\Windows\System32\MEO2x2MUfC.exe'
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe'
                            Source: unknownProcess created: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe 'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe' -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con cp select=1251
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                            Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32
                            Source: MEO2x2MUfC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: Binary string: C:\crysis\Release\PDB\payload.pdb source: MEO2x2MUfC.exe
                            Source: Binary string: C:\crysis\Release\PDB\payload.pdb' source: MEO2x2MUfC.exe
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_004065E0 LoadLibraryA,GetProcAddress,

                            Persistence and Installation Behavior:

                            barindex
                            Drops executables to the windows directory (C:\Windows) and starts themShow sources
                            Source: unknownExecutable created and started: C:\Windows\System32\MEO2x2MUfC.exe
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Windows\System32\MEO2x2MUfC.exe
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Windows\System32\MEO2x2MUfC.exe

                            Boot Survival:

                            barindex
                            Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MEO2x2MUfC.exeJump to behavior
                            Drops PE files to the startup folderShow sources
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\MEO2x2MUfC.exe
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exe
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exeJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exeJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MEO2x2MUfC.exeJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Access 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Examples.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Excel 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneNote 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Outlook 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Word 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\03 - Documents.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\04 - Downloads.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\01 - File Explorer.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\05 - Music.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\06 - Pictures.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\07 - Videos.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\08 - Homegroup.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\09 - Network.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\10 - UserProfile.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Quick Assist.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Speech Recognition.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Math Input Panel.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Snipping Tool.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Steps Recorder.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Media Player.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\dfrgui.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Event Viewer.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Print Management.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\services.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Help File.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Check For Updates.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x64).lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Run Script (x86).lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\SciTE Script Editor.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Skype for Business 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Task Manager.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Character Map.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Component Services.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Computer Management.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (64-bit).lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\ODBC Data Sources (32-bit).lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Configuration.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Information.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x64).lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x86).lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\AutoItX Help File.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\VBScript Examples.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Database Compare 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Office 2016 Upload Center.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Spreadsheet Compare 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Office 2016 Language Preferences.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Windows Defender Firewall with Advanced Security.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Skype for Business Recording Manager.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Telemetry Dashboard for Office 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\Telemetry Log for Office 2016.lnk.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MEO2x2MUfC.exeJump to behavior
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MEO2x2MUfC.exeJump to behavior

                            Hooking and other Techniques for Hiding and Protection:

                            barindex
                            Creates files in the recycle bin to hide itselfShow sources
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeFile created: C:\$Recycle.Bin\S-1-5-18\desktop.ini.id-88D1F6DF.[datahelp@techmail.info].errorJump to behavior
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_004053B0 rdtsc
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: EnumServicesStatusExW,
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exe TID: 6580Thread sleep count: 70 > 30
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exe TID: 6556Thread sleep count: 47 > 30
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeLast function: Thread delayed
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_00406940 FindFirstFileW,
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeProcess information queried: ProcessInformation
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_004053B0 rdtsc
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_004065E0 LoadLibraryA,GetProcAddress,
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_00406950 GetProcessHeap,
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con cp select=1251
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\MEO2x2MUfC.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\MEO2x2MUfC.exeCode function: 9_2_004068A0 GetVersion,

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            Valid AccountsNative API1Startup Items1Startup Items1Masquerading121Input Capture1Security Software Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                            Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder221Process Injection11Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder221Process Injection11Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSSystem Service Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 284404 Sample: MEO2x2MUfC Startdate: 11/09/2020 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for dropped file 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 8 other signatures 2->44 7 MEO2x2MUfC.exe 1 501 2->7         started        11 MEO2x2MUfC.exe 2->11         started        13 MEO2x2MUfC.exe 2->13         started        15 SearchUI.exe 2->15         started        process3 file4 26 C:\Windows\System32\MEO2x2MUfC.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\...\MEO2x2MUfC.exe, PE32 7->28 dropped 30 cab1.cab.id-88D1F6...echmail.info].error, DOS 7->30 dropped 32 85 other files (71 malicious) 7->32 dropped 46 Creates files in the recycle bin to hide itself 7->46 48 Drops PE files to the startup folder 7->48 50 Creates an autostart registry key pointing to binary in C:\Windows 7->50 52 Writes many files with high entropy 7->52 17 cmd.exe 1 7->17         started        signatures5 process6 signatures7 34 May disable shadow drive data (uses vssadmin) 17->34 36 Deletes shadow drive data (may be related to ransomware) 17->36 20 conhost.exe 17->20         started        22 vssadmin.exe 1 17->22         started        24 mode.com 1 17->24         started        process8

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.