Click to jump to signature section
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user\AppData\Roaming | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows | Jump to behavior |
Source: rhc.exe.20.dr | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: rhc.exe.20.dr | Static PE information: Section .text |
Source: classification engine | Classification label: sus21.winZIP@6/1@0/0 |
Source: C:\Program Files\7-Zip\7zG.exe | File created: C:\Users\user\Desktop\rhc.exe | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\rundll32.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding |
Source: unknown | Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe" |
Source: unknown | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: unknown | Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap13122:172:7zEvent2168 |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe "C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe" |
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Section loaded: winbrand.dll | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: explorerframe.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Program Files\7-Zip\7zG.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Program Files\7-Zip\7zG.exe | File created: C:\Users\user\Desktop\rhc.exe | Jump to dropped file |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | File Volume queried: C:\Users\user FullSizeInformation | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user\AppData\Roaming | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |