Source: P3ccqv3djN.exe | Virustotal: Detection: 68% | Perma Link |
Source: 7.0.P3ccqv3djN.exe.b80000.0.unpack | Avira: Label: TR/Crypt.ZPACK.Gen2 |
Source: unknown | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 |
Source: Joe Sandbox View | IP Address: 1.1.1.1 1.1.1.1 |
Source: Joe Sandbox View | ASN Name: unknown unknown |
Source: Yara match | File source: 00000007.00000002.2009140031.0000000000B81000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: P3ccqv3djN.exe PID: 5964, type: MEMORY |
Source: Yara match | File source: 7.2.P3ccqv3djN.exe.b80000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B83AB0: DeviceIoControl, | 7_2_00B83AB0 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B86EC0 RegisterServiceCtrlHandlerW,SetServiceStatus,SetServiceStatus,CreateEventW,SetServiceStatus,SetServiceStatus,SetEvent,OpenSCManagerW,OpenServiceW,QueryServiceStatus,DeleteService,CloseServiceHandle,CloseServiceHandle,WaitForSingleObject,WaitForSingleObject,SetServiceStatus,FindCloseChangeNotification,SetServiceStatus, | 7_2_00B86EC0 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B8DC18 | 7_2_00B8DC18 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B910FA | 7_2_00B910FA |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B9F079 | 7_2_00B9F079 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00BA1047 | 7_2_00BA1047 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B9624F | 7_2_00B9624F |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B973C5 | 7_2_00B973C5 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B9EB07 | 7_2_00B9EB07 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B96B5B | 7_2_00B96B5B |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B88C70 | 7_2_00B88C70 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B9FD93 | 7_2_00B9FD93 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B9F5EB | 7_2_00B9F5EB |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B9AE94 | 7_2_00B9AE94 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B83E80 | 7_2_00B83E80 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B96F90 | 7_2_00B96F90 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B96743 | 7_2_00B96743 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: String function: 00B8DF60 appears 43 times | |
Source: classification engine | Classification label: mal68.rans.troj.evad.winEXE@35/5@0/1 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B87410 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle, | 7_2_00B87410 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: OpenSCManagerW,GetModuleFileNameW,CreateServiceW,CloseServiceHandle,CloseServiceHandle, | 7_2_00B870A0 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: CreateFileW,OpenSCManagerW,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,OpenServiceA,StartServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,CreateFileW, | 7_2_00B82960 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B83E80 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Sleep,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,_memmove,_memmove,Process32NextW,CloseHandle,Sleep, | 7_2_00B83E80 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B871B0 lstrcmpiW,lstrcmpiW,StartServiceCtrlDispatcherW, | 7_2_00B871B0 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B871B0 lstrcmpiW,lstrcmpiW,StartServiceCtrlDispatcherW, | 7_2_00B871B0 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \BaseNamedObjects\Local\SM0:6092:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \BaseNamedObjects\Local\SM0:6108:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \BaseNamedObjects\Local\SM0:908:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \BaseNamedObjects\Local\SM0:6020:120:WilError_01 |
Source: C:\Windows\SysWOW64\taskkill.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "P3ccqv3djN.exe") |
Source: C:\Windows\SysWOW64\taskkill.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "P3ccqv3djN.exe") |
Source: C:\Windows\SysWOW64\sc.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: P3ccqv3djN.exe | Virustotal: Detection: 68% |
Source: unknown | Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe' >> C:\servicereg.log 2>&1 | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe' | |
Source: unknown | Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start juTze >> C:\servicestart.log 2>&1 | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\SysWOW64\sc.exe sc start juTze | |
Source: unknown | Process created: C:\Users\user\Desktop\P3ccqv3djN.exe C:\Users\user\Desktop\P3ccqv3djN.exe | |
Source: unknown | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc delete juTze | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\SysWOW64\sc.exe sc delete juTze | |
Source: unknown | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe' | |
Source: unknown | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q 'C:\Windows\temp\Runtime_Service.exe' & sc delete WindowsDeviceACL | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe' | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | |
Source: unknown | Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe | |
Source: unknown | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | |
Source: unknown | Process created: C:\Windows\SysWOW64\sc.exe sc delete WindowsDeviceACL | |
Source: unknown | Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe' | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\sc.exe sc start juTze | Jump to behavior |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc delete juTze | Jump to behavior |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe' | Jump to behavior |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q 'C:\Windows\temp\Runtime_Service.exe' & sc delete WindowsDeviceACL | Jump to behavior |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im P3ccqv3djN.exe & Del /f /q 'C:\Users\user\Desktop\P3ccqv3djN.exe' | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\sc.exe sc delete juTze | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\sc.exe sc delete WindowsDeviceACL | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe | Jump to behavior |
Source: P3ccqv3djN.exe | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: C:\Users\Mikhail\Desktop\Robnhold\Win7Release\Robbnhold.pdbFH source: P3ccqv3djN.exe, 00000007.00000002.2009140031.0000000000B81000.00000040.00020000.sdmp |
Source: | Binary string: C:\Users\Mikhail\Desktop\Robnhold\Win7Release\Robbnhold.pdb source: P3ccqv3djN.exe |
Source: | Binary string: 3gL)+.pdb source: P3ccqv3djN.exe |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B83290 LoadLibraryW,GetProcAddress,_memset,FreeLibrary,GetCurrentProcessId,GetCurrentProcess,GetCurrentProcess,IsWow64Process,IsWow64Process,GetCurrentProcess,IsWow64Process,CreateFileW,Sleep,CreateFileW,Sleep, | 7_2_00B83290 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B8DFA5 push ecx; ret | 7_2_00B8DFB8 |
Source: initial sample | Static PE information: section name: UPX0 |
Source: initial sample | Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B871B0 lstrcmpiW,lstrcmpiW,StartServiceCtrlDispatcherW, | 7_2_00B871B0 |
Source: unknown | Process created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe' |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B8DC18 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, | 7_2_00B8DC18 |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: unknown | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | |
Source: unknown | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | |
Source: unknown | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | Jump to behavior |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00BCF0E8 rdtsc | 7_2_00BCF0E8 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,EnumServicesStatusExW,CloseServiceHandle, | 7_2_00B830F0 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess | graph_7-16950 |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: sc.exe, 00000015.00000002.2013010300.00000000008B0000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | API call chain: ExitProcess graph end node | graph_7-16951 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00BCF0E8 rdtsc | 7_2_00BCF0E8 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B9C827 RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, | 7_2_00B9C827 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B9C827 RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, | 7_2_00B9C827 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B83290 LoadLibraryW,GetProcAddress,_memset,FreeLibrary,GetCurrentProcessId,GetCurrentProcess,GetCurrentProcess,IsWow64Process,IsWow64Process,GetCurrentProcess,IsWow64Process,CreateFileW,Sleep,CreateFileW,Sleep, | 7_2_00B83290 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00BA0DF2 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, | 7_2_00BA0DF2 |
Source: C:\Windows\SysWOW64\taskkill.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B90CEA SetUnhandledExceptionFilter, | 7_2_00B90CEA |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B90D1B SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 7_2_00B90D1B |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\sc.exe sc create juTze binpath= 'C:\Users\user\Desktop\P3ccqv3djN.exe' | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\sc.exe sc start juTze | Jump to behavior |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc delete juTze | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\sc.exe sc delete juTze | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\sc.exe sc delete WindowsDeviceACL | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im P3ccqv3djN.exe | Jump to behavior |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, | 7_2_00B98145 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: GetLocaleInfoW,_GetPrimaryLen, | 7_2_00B988C5 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, | 7_2_00B98818 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, | 7_2_00B9892F |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: EnumSystemLocalesW, | 7_2_00B983B9 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, | 7_2_00B983F9 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, | 7_2_00B9BC83 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, | 7_2_00B984F9 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: EnumSystemLocalesW, | 7_2_00B98CD4 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, | 7_2_00B98476 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: GetLocaleInfoW, | 7_2_00B98D11 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, | 7_2_00B986EE |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, | 7_2_00B90785 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B8B334 cpuid | 7_2_00B8B334 |
Source: C:\Users\user\Desktop\P3ccqv3djN.exe | Code function: 7_2_00B92CCD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, | 7_2_00B92CCD |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.