Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_0056688B NtProtectVirtualMemory, |
19_2_0056688B |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_005604B6 EnumWindows,NtSetInformationThread, |
19_2_005604B6 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00565209 NtSetInformationThread, |
19_2_00565209 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_0056506B NtSetInformationThread, |
19_2_0056506B |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_0056057F NtSetInformationThread, |
19_2_0056057F |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_005605B2 NtSetInformationThread, |
19_2_005605B2 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00563635 NtSetInformationThread,LdrInitializeThunk, |
19_2_00563635 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00560629 NtSetInformationThread, |
19_2_00560629 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_0056069F NtSetInformationThread, |
19_2_0056069F |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00561AA2 NtSetInformationThread, |
19_2_00561AA2 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00560F41 NtProtectVirtualMemory, |
19_2_00560F41 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00560F23 NtProtectVirtualMemory, |
19_2_00560F23 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00405454 |
1_2_00405454 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00405872 |
1_2_00405872 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00402C01 |
1_2_00402C01 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00405814 |
1_2_00405814 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00405429 |
1_2_00405429 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054C1 |
1_2_004054C1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054C3 |
1_2_004054C3 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054C5 |
1_2_004054C5 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054C7 |
1_2_004054C7 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054C9 |
1_2_004054C9 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004058CB |
1_2_004058CB |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054E0 |
1_2_004054E0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004058F7 |
1_2_004058F7 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00405488 |
1_2_00405488 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040589C |
1_2_0040589C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054AC |
1_2_004054AC |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054B3 |
1_2_004054B3 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054B5 |
1_2_004054B5 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054B7 |
1_2_004054B7 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054B9 |
1_2_004054B9 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054BB |
1_2_004054BB |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004054BD |
1_2_004054BD |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00405954 |
1_2_00405954 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040556C |
1_2_0040556C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040550A |
1_2_0040550A |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040513D |
1_2_0040513D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040553D |
1_2_0040553D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004049E3 |
1_2_004049E3 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004055EA |
1_2_004055EA |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00404DA2 |
1_2_00404DA2 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040525A |
1_2_0040525A |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00405A06 |
1_2_00405A06 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040561E |
1_2_0040561E |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040522C |
1_2_0040522C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004056DE |
1_2_004056DE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00405682 |
1_2_00405682 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004052AB |
1_2_004052AB |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00404B4D |
1_2_00404B4D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00405750 |
1_2_00405750 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040536C |
1_2_0040536C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040576D |
1_2_0040576D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040530B |
1_2_0040530B |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00405337 |
1_2_00405337 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004057C0 |
1_2_004057C0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004057EF |
1_2_004057EF |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004053FB |
1_2_004053FB |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_00404BFE |
1_2_00404BFE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040539A |
1_2_0040539A |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040579A |
1_2_0040579A |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004043B6 |
1_2_004043B6 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00565853 |
19_2_00565853 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00561C9A |
19_2_00561C9A |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_005656D9 |
19_2_005656D9 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00561B01 |
19_2_00561B01 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00564FCA |
19_2_00564FCA |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000001.00000002.803089059.0000000002130000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000000.801506120.0000000000418000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.828115877.000000001E290000.00000002.00000001.sdmp |
Binary or memory string: originalfilename vs SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.828115877.000000001E290000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenamewscript.exe.mui` vs SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenamewscript.exe` vs SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.827975681.000000001E180000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.827894653.000000001DEB0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Binary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: 00000013.00000003.820991756.000000000094C000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Remcos-E2OTZW |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_01 |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Virustotal: Detection: 35% |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe |
ReversingLabs: Detection: 39% |
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe' |
|
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe' |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' |
|
Source: unknown |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe' |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_0040B0A6 push ds; retf |
1_2_0040B140 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 1_2_004059D2 push ss; iretd |
1_2_004059D3 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_005642B4 push ebp; iretd |
19_2_005642D9 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\win.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
RDTSC instruction interceptor: First address: 0000000000543047 second address: 0000000000543047 instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
RDTSC instruction interceptor: First address: 00000000005620EF second address: 00000000005620EF instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
RDTSC instruction interceptor: First address: 0000000000543047 second address: 0000000000543047 instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
RDTSC instruction interceptor: First address: 00000000005620EF second address: 00000000005620EF instructions: |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAWo |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:U |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_005604B6 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000 |
19_2_005604B6 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00562286 mov eax, dword ptr fs:[00000030h] |
19_2_00562286 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00563008 mov eax, dword ptr fs:[00000030h] |
19_2_00563008 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00562034 mov eax, dword ptr fs:[00000030h] |
19_2_00562034 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_005661D3 mov eax, dword ptr fs:[00000030h] |
19_2_005661D3 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_005661C4 mov eax, dword ptr fs:[00000030h] |
19_2_005661C4 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00564A7C mov eax, dword ptr fs:[00000030h] |
19_2_00564A7C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00566207 mov eax, dword ptr fs:[00000030h] |
19_2_00566207 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00561AA2 mov eax, dword ptr fs:[00000030h] |
19_2_00561AA2 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_005622A1 mov eax, dword ptr fs:[00000030h] |
19_2_005622A1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Code function: 19_2_00565364 mov eax, dword ptr fs:[00000030h] |
19_2_00565364 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe |
Jump to behavior |
Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |