Source: mtspsmjeli.sch.id |
Virustotal: Detection: 12% |
Perma Link |
Source: http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin |
Virustotal: Detection: 15% |
Perma Link |
Source: C:\Users\user\AppData\Roaming\win.exe |
Virustotal: Detection: 35% |
Perma Link |
Source: C:\Users\user\AppData\Roaming\win.exe |
ReversingLabs: Detection: 42% |
Source: C:\Users\user\AppData\Roaming\win.exe |
Joe Sandbox ML: detected |
Source: 4AtUJN8Hdu.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Joe Sandbox View |
IP Address: 103.150.60.242 103.150.60.242 |
Source: Joe Sandbox View |
ASN Name: PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID |
Source: global traffic |
HTTP traffic detected: GET /cl/VK_Remcos%20v2_AxaGIU151.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /cl/VK_Remcos%20v2_AxaGIU151.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache |
Source: unknown |
DNS traffic detected: queries for: mtspsmjeli.sch.id |
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp |
String found in binary or memory: http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin |
Source: win.exe, 0000001E.00000002.753745838.000000000067A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00566C80 NtSetInformationThread, |
26_2_00566C80 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00566766 NtProtectVirtualMemory, |
26_2_00566766 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_0056631A NtSetInformationThread, |
26_2_0056631A |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00560534 EnumWindows,NtSetInformationThread, |
26_2_00560534 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00566E75 NtSetInformationThread, |
26_2_00566E75 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_0056061B NtSetInformationThread, |
26_2_0056061B |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_005606D3 NtSetInformationThread, |
26_2_005606D3 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00560EDD NtProtectVirtualMemory, |
26_2_00560EDD |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00566EDB NtSetInformationThread, |
26_2_00566EDB |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_005668F5 NtProtectVirtualMemory, |
26_2_005668F5 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00566CE5 NtSetInformationThread, |
26_2_00566CE5 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_0056069F NtSetInformationThread, |
26_2_0056069F |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00566C99 NtSetInformationThread, |
26_2_00566C99 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00566EA3 NtSetInformationThread, |
26_2_00566EA3 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00560743 NtSetInformationThread, |
26_2_00560743 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00566D6A NtSetInformationThread, |
26_2_00566D6A |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00560F68 NtProtectVirtualMemory, |
26_2_00560F68 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_005605DE NtSetInformationThread, |
26_2_005605DE |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00566DD9 NtSetInformationThread, |
26_2_00566DD9 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_005659CD NtSetInformationThread, |
26_2_005659CD |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00560DBD NtProtectVirtualMemory, |
26_2_00560DBD |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00560FA1 NtProtectVirtualMemory, |
26_2_00560FA1 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00566DAB NtSetInformationThread, |
26_2_00566DAB |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 0_2_00402BF9 |
0_2_00402BF9 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00564B29 |
26_2_00564B29 |
Source: 4AtUJN8Hdu.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: win.exe.26.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 4AtUJN8Hdu.exe, 00000000.00000000.227272150.0000000000418000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe |
Source: 4AtUJN8Hdu.exe, 00000000.00000002.686046598.00000000021F0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs 4AtUJN8Hdu.exe |
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712764051.000000001E020000.00000002.00000001.sdmp |
Binary or memory string: originalfilename vs 4AtUJN8Hdu.exe |
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712764051.000000001E020000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 4AtUJN8Hdu.exe |
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712402397.000000001DC50000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemswsock.dll.muij% vs 4AtUJN8Hdu.exe |
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712447968.000000001DF20000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs 4AtUJN8Hdu.exe |
Source: 4AtUJN8Hdu.exe, 0000001A.00000000.684091283.0000000000418000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe |
Source: 4AtUJN8Hdu.exe |
Binary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe |
Source: 4AtUJN8Hdu.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@11/3@1/1 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
File created: C:\Users\user\AppData\Roaming\win.exe |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_01 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Remcos-K77NUC |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFCACFC5B555D77E93.TMP |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' |
Source: 4AtUJN8Hdu.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
File read: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: 4AtUJN8Hdu.exe |
Virustotal: Detection: 35% |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
File read: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\4AtUJN8Hdu.exe 'C:\Users\user\Desktop\4AtUJN8Hdu.exe' |
|
Source: unknown |
Process created: C:\Users\user\Desktop\4AtUJN8Hdu.exe 'C:\Users\user\Desktop\4AtUJN8Hdu.exe' |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' |
|
Source: unknown |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe' |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe' |
|
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: Yara match |
File source: Process Memory Space: 4AtUJN8Hdu.exe PID: 6564, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 4AtUJN8Hdu.exe PID: 6564, type: MEMORY |
Source: 4AtUJN8Hdu.exe |
Static PE information: real checksum: 0x27364 should be: 0x25d86 |
Source: win.exe.26.dr |
Static PE information: real checksum: 0x27364 should be: 0x25d86 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 0_2_0040546F push edx; iretd |
0_2_00405471 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 0_2_00404889 push ds; retf |
0_2_0040488A |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 0_2_0040769A push esp; iretd |
0_2_0040769B |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE` |
Source: 4AtUJN8Hdu.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Windows\SysWOW64\wscript.exe |
File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00560A8C rdtsc |
26_2_00560A8C |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe` |
Source: 4AtUJN8Hdu.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_0056631A NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,00000000 |
26_2_0056631A |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00560A8C rdtsc |
26_2_00560A8C |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00563623 LdrInitializeThunk, |
26_2_00563623 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_0056229F mov eax, dword ptr fs:[00000030h] |
26_2_0056229F |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_0056631A mov eax, dword ptr fs:[00000030h] |
26_2_0056631A |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00561AD5 mov eax, dword ptr fs:[00000030h] |
26_2_00561AD5 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_005662DB mov eax, dword ptr fs:[00000030h] |
26_2_005662DB |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_005654F7 mov eax, dword ptr fs:[00000030h] |
26_2_005654F7 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_005622AB mov eax, dword ptr fs:[00000030h] |
26_2_005622AB |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00564D4A mov eax, dword ptr fs:[00000030h] |
26_2_00564D4A |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_0056632D mov eax, dword ptr fs:[00000030h] |
26_2_0056632D |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00562FEA mov eax, dword ptr fs:[00000030h] |
26_2_00562FEA |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00565582 mov eax, dword ptr fs:[00000030h] |
26_2_00565582 |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe |
Jump to behavior |
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\4AtUJN8Hdu.exe |
Code function: 26_2_00560ABC cpuid |
26_2_00560ABC |
Source: C:\Windows\SysWOW64\cmd.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |