| Source: classification engine |
Classification label: clean1.win@4/0@0/0 |
| Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03 |
| Source: C:\Windows\SysWOW64\wscript.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
| Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft"" |
|
| Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
| Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft" |
|
| Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft" |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: vbscript.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: textshaping.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wscript.exe |
Window found: window name: WSH-Timer |
Jump to behavior |
| Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
| Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
| Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" //e:VBScript dekstop.ini "Microsoft" |
Jump to behavior |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet