Source: C:\Users\user\Desktop\SY5DeZW6pz.exe |
Code function: 0_2_0F394950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, |
0_2_0F394950 |
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe |
Code function: 0_2_0F398150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, |
0_2_0F398150 |
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe |
Code function: 0_2_0F3962B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, |
0_2_0F3962B0 |
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe |
Code function: 0_2_0F396530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, |
0_2_0F396530 |
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe |
Code function: 0_2_0F395210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError, |
0_2_0F395210 |
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe |
Code function: 0_2_0F395670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, |
0_2_0F395670 |
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe |
Code function: 0_2_0F3982A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, |
0_2_0F3982A0 |
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe |
Code function: 0_2_0F395880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, |
0_2_0F395880 |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateComRegisterShell64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\chrome_pwa_launcher.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdate.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\misc.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\filecompare.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync99.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3Help.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\ssvagent.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\UcMapi.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTE.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PDFREFLOW.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WINWORD.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroBroker.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSREC.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OUTLOOK.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\protocolhandler.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSQRY32.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\wow_helper.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\notification_helper.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\arh.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SELFCERT.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WORDICON.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSPUB.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\chrome.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jabswitch.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\DATABASECOMPARE.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SETLANG.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe_x64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ACCICONS.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\FIRSTRUN.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSACCESS.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\POWERPNT.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Uninstall.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateCore.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.ShowHelp.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SCANPST.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Au3Check.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jp2launcher.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOHTMED.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CLVIEW.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\NAMECONTROLSERVER.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\IEContentService.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CNFNOT32.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\Installer\chrmstp.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Microsoft Office\Office16\AppSharingHookController64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\excelcnv.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GROOVE.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OcPubMgr.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java-rmi.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateBroker.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\unpack200.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javacpl.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTEM.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msoev.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOUC.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Microsoft Office\Office16\MSOHTMED.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\SciTE\SciTE.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GRAPH.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\EXCEL.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PPTICO.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\LogTransport2.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lynchtmlconv.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javaws.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\elevation_service.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Eula.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Au3Info.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3_x64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\AppSharingHookController.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OSPPREARM.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSYNC.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\XLICONS.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Microsoft Office\Office16\msoia.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\104.0.5112.81\chrome_installer.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Au3Info_x64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\Wordconv.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\SPREADSHEETCOMPARE.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft analysis services\AS OLEDB\110\SQLDumper.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\VPREVIEW.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\reader_sl.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\upx.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateSetup.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msotd.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\orbd.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe |
Jump to behavior |
Source: vSQshX.exe, 00000001.00000003.310095902.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.331514201.0000000000C23000.00000002.00000001.01000000.00000004.sdmp |
String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE |
Source: vSQshX.exe, 00000001.00000000.333684475.000000000142E000.00000004.00000020.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.336367143.000000000142E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ddos.dnsnb8.net/& |
Source: vSQshX.exe, 00000001.00000000.334129715.00000000030C9000.00000004.00000010.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000002.359919761.000000000142E000.00000004.00000020.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.336367143.000000000142E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar |
Source: vSQshX.exe, 00000001.00000000.333684475.000000000142E000.00000004.00000020.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.336367143.000000000142E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar% |
Source: vSQshX.exe, 00000001.00000002.360215641.00000000030C9000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar |
Source: vSQshX.exe, 00000001.00000002.359919761.000000000142E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar% |
Source: SY5DeZW6pz.exe |
String found in binary or memory: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b |
Source: Amcache.hve.1.dr |
String found in binary or memory: http://upx.sf.net |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.activestate.com |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.activestate.comJames |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.autoitscript.com/autoit3/scite |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.baanboard.com |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.baanboard.comPraveen |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.develop.com |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.develop.comYann |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.lua.org |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.rftp.com |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.rftp.comSteve |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.scintila.org/scite.rng |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.scintilla.org |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.spaceblue.com |
Source: SciTE.exe.1.dr |
String found in binary or memory: http://www.spaceblue.comDenis |
Source: SY5DeZW6pz.exe |
String found in binary or memory: https://tox.chat/download.html |
Source: SY5DeZW6pz.exe |
String found in binary or memory: https://www.torproject.org/ |
Source: SY5DeZW6pz.exe, type: SAMPLE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: SY5DeZW6pz.exe, type: SAMPLE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: SY5DeZW6pz.exe, type: SAMPLE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: SY5DeZW6pz.exe, type: SAMPLE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: SY5DeZW6pz.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: SY5DeZW6pz.exe, type: SAMPLE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15 |
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe |
Code function: 0_2_0F397330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, |
0_2_0F397330 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: |Zu8 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_0 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_1 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_2 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_3 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_4 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_5 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_6 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_7 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_8 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_9 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_10 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_11 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_12 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_13 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_14 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_15 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_16 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_17 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_18 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_19 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_20 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_21 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_22 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_23 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_24 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_25 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_26 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_27 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_28 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_29 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_30 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_31 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_32 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_33 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_34 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_35 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_36 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_37 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_38 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_39 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_40 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_41 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_42 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_43 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_44 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_45 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_46 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_47 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_48 |
Source: SY5DeZW6pz.exe |
Static PE information: section name: .dat_49 |
Source: vSQshX.exe.0.dr |
Static PE information: section name: .aspack |
Source: vSQshX.exe.0.dr |
Static PE information: section name: .adata |
Source: MyProg.exe.1.dr |
Static PE information: section name: PELIB |
Source: MyProg.exe.1.dr |
Static PE information: section name: Y|uR |
Source: SciTE.exe.1.dr |
Static PE information: section name: ruO |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateComRegisterShell64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\chrome_pwa_launcher.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdate.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\misc.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\filecompare.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync99.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3Help.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\ssvagent.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\UcMapi.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTE.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PDFREFLOW.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WINWORD.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroBroker.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSREC.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OUTLOOK.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\protocolhandler.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSQRY32.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\wow_helper.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\notification_helper.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\arh.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SELFCERT.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WORDICON.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSPUB.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\chrome.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jabswitch.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\DATABASECOMPARE.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SETLANG.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe_x64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ACCICONS.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\FIRSTRUN.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSACCESS.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\POWERPNT.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Uninstall.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateCore.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.ShowHelp.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SCANPST.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Au3Check.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jp2launcher.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOHTMED.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CLVIEW.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\NAMECONTROLSERVER.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\IEContentService.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CNFNOT32.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\Installer\chrmstp.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Microsoft Office\Office16\AppSharingHookController64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\excelcnv.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GROOVE.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OcPubMgr.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java-rmi.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateBroker.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\unpack200.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javacpl.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTEM.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msoev.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOUC.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Microsoft Office\Office16\MSOHTMED.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\SciTE\SciTE.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GRAPH.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\EXCEL.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PPTICO.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\LogTransport2.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lynchtmlconv.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javaws.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\elevation_service.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Eula.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Au3Info.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3_x64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\AppSharingHookController.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OSPPREARM.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSYNC.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\XLICONS.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Microsoft Office\Office16\msoia.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\104.0.5112.81\chrome_installer.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Au3Info_x64.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\Wordconv.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\SPREADSHEETCOMPARE.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft analysis services\AS OLEDB\110\SQLDumper.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\VPREVIEW.EXE |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\reader_sl.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\upx.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateSetup.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msotd.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\orbd.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\vSQshX.exe |
System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.1.dr |
Binary or memory string: VMware |
Source: Amcache.hve.1.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.1.dr |
Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.1.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.1.dr |
Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed |
Source: Amcache.hve.1.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.1.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.1.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.1.dr |
Binary or memory string: VMware7,1 |
Source: Amcache.hve.1.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.1.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.1.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.1.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.1.dr |
Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.1.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.1.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.1.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Users\user\Desktop\SY5DeZW6pz.exe |
Code function: 0_2_0F397330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, |
0_2_0F397330 |