Edit tour

Windows Analysis Report
JR2xwuR1Zc.msi

Overview

General Information

Sample name:	JR2xwuR1Zc.msi renamed because original name is a hash value
Original sample name:	02d2fad62243855f97f71396e6f9e868b9fd58fc.msi
Analysis ID:	1551467
MD5:	1971ac3b27b03ec10123694019a2b2db
SHA1:	02d2fad62243855f97f71396e6f9e868b9fd58fc
SHA256:	a59d8dd20da457473a30a69c890a3689d0bfe8de3f2fd6cdf2007143e71cee32
Tags:	msiuser-NDA0E
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Found API chain indicative of debugger detection

Machine Learning detection for dropped file

Reads the Security eventlog

Reads the System eventlog

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 1596 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\JR2xwuR1Zc.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7132 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6308 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7CA20F3CA1CD12A009BAB9C2F5093193 MD5: 9D09DC1EDA745A5F87553048E57620CF)

SpecterXInstaller.exe (PID: 1220 cmdline: "C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe" MD5: 5B1E82809D1A6912D6079420ADA3755F)

conhost.exe (PID: 2748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 4892 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vssx SpecterXHandler.vsdx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 2064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 7244 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .xls SpecterXHandler.xlsx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 7304 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .xlsx SpecterXHandler.xlsx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 7388 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vstm SpecterXHandler.vsdx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 7448 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vstx SpecterXHandler.vsdx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 7492 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vsdx SpecterXHandler.vsdx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 7616 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vssm SpecterXHandler.vsdx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 7704 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .doc SpecterXHandler.docx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 7800 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .pptx SpecterXHandler.pptx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 7860 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .docx SpecterXHandler.docx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 7932 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .ppt SpecterXHandler.pptx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SetDefault.exe (PID: 7988 cmdline: "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vsdm SpecterXHandler.vsdx MD5: D3164DF7E7B1C2F7C61A04210902F642)

conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe, ProcessId: 1220, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpg5mjpn.mly.ps1

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T18:52:35.515552+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.6	49736	TCP
2024-11-07T18:53:14.406325+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.6	49945	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler-Interactive.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler.exe	ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXUninstaller.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: JR2xwuR1Zc.msi

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.1% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler-Interactive.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXUninstaller.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SpecterXInstaller.exe.log

Jump to behavior

Source:

Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: JR2xwuR1Zc.msi, 706488.msi.2.dr, MSI68A0.tmp.2.dr, MSI6754.tmp.2.dr, 706485.msi.2.dr, MSI6851.tmp.2.dr, MSI6811.tmp.2.dr, MSI67C2.tmp.2.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49736
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49945

Source: SetDefault.exe.2.dr	String found in binary or memory: http://kolbi.cz
Source: SpecterXInstaller.exe, 00000004.00000002.2374899157.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\706485.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6754.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI67C2.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6811.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6851.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI68A0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{9E710E79-8D32-42A7-AA5F-53972FD29A8B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI68FF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\706488.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\706488.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI6754.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Code function: 4_2_00007FFD340B09B8	4_2_00007FFD340B09B8
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Code function: 4_2_00007FFD340B77FB	4_2_00007FFD340B77FB
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Code function: 4_2_00007FFD340B3C2F	4_2_00007FFD340B3C2F
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Code function: 6_2_004026A0	6_2_004026A0
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Code function: 6_2_00402140	6_2_00402140
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Code function: 6_2_00401FC0	6_2_00401FC0
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Code function: 6_2_00401780	6_2_00401780

Source: Joe Sandbox View

Dropped File: C:\Windows\Installer\MSI6754.tmp D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F

Source: JR2xwuR1Zc.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs JR2xwuR1Zc.msi

Source: classification engine

Classification label: mal80.evad.winMSI@43/36@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML6967.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2748:120:WilError_03
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF5959062543879A75.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JR2xwuR1Zc.msi

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\JR2xwuR1Zc.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7CA20F3CA1CD12A009BAB9C2F5093193
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe "C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe"
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vssx SpecterXHandler.vsdx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .xls SpecterXHandler.xlsx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .xlsx SpecterXHandler.xlsx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vstm SpecterXHandler.vsdx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vstx SpecterXHandler.vsdx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vsdx SpecterXHandler.vsdx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vssm SpecterXHandler.vsdx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .doc SpecterXHandler.docx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .pptx SpecterXHandler.pptx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .docx SpecterXHandler.docx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .ppt SpecterXHandler.pptx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vsdm SpecterXHandler.vsdx
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7CA20F3CA1CD12A009BAB9C2F5093193	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe "C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vssx SpecterXHandler.vsdx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .xls SpecterXHandler.xlsx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .xlsx SpecterXHandler.xlsx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vstm SpecterXHandler.vsdx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vstx SpecterXHandler.vsdx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vsdx SpecterXHandler.vsdx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vssm SpecterXHandler.vsdx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .doc SpecterXHandler.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .pptx SpecterXHandler.pptx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .docx SpecterXHandler.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .ppt SpecterXHandler.pptx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vsdm SpecterXHandler.vsdx	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: JR2xwuR1Zc.msi

Static file information: File size 1673216 > 1048576

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: SpecterXFileHandler.exe.2.dr, MainModuleUI.cs	.Net Code: Prompt
Source: SpecterXFileHandler-Interactive.exe.2.dr, MainModuleUI.cs	.Net Code: Prompt
Source: SpecterXInstaller.exe.2.dr, MainModuleUI.cs	.Net Code: Prompt
Source: SpecterXUninstaller.exe.2.dr, MainModuleUI.cs	.Net Code: Prompt

Source: MSI6754.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI67C2.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI6811.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI6851.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI68A0.tmp.2.dr	Static PE information: section name: .fptable

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

Code function: 4_2_00007FFD340B7F57 push ebx; ret

4_2_00007FFD340B816A

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6811.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler-Interactive.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6851.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6754.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\SpecterX\SpecterXUninstaller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI68A0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI67C2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6811.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6851.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6754.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI68A0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI67C2.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SpecterXInstaller.exe.log

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Memory allocated: 10D0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Memory allocated: 1AE20000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Window / User API: threadDelayed 3328			Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Window / User API: threadDelayed 1351			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6811.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler-Interactive.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6851.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6754.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SpecterX\SpecterXUninstaller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI68A0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI67C2.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_6-1328

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe TID: 6504	Thread sleep time: -12912720851596678s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe TID: 2536	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_6-1245

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Code function: 6_2_00401179 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,	6_2_00401179
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Code function: 6_2_00403BDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	6_2_00403BDC
Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	Code function: 6_2_00403BE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	6_2_00403BE0

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vssx SpecterXHandler.vsdx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .xls SpecterXHandler.xlsx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .xlsx SpecterXHandler.xlsx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vstm SpecterXHandler.vsdx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vstx SpecterXHandler.vsdx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vsdx SpecterXHandler.vsdx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vssm SpecterXHandler.vsdx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .doc SpecterXHandler.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .pptx SpecterXHandler.pptx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .docx SpecterXHandler.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .ppt SpecterXHandler.pptx	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Process created: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe "C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vsdm SpecterXHandler.vsdx	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Queries volume information: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe

Code function: 6_2_00403B30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

6_2_00403B30

Source: C:\Users\user\AppData\Local\SpecterX\SetDefault.exe

Code function: 6_2_0040158C GetCurrentProcessId,OpenProcess,OpenProcessToken,malloc,LookupAccountNameA,CheckTokenMembership,

6_2_0040158C

Source: C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	11 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Account Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 File and Directory Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	14 System Information Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
JR2xwuR1Zc.msi	18%	ReversingLabs	Binary.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler-Interactive.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\SpecterX\SpecterXUninstaller.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\SpecterX\SetDefault.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler-Interactive.exe	33%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler.exe	32%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\SpecterX\SpecterXUninstaller.exe	26%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\Installer\MSI6754.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI67C2.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6811.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6851.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI68A0.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://kolbi.cz	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://kolbi.cz	SetDefault.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SpecterXInstaller.exe, 00000004.00000002.2374899157.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551467
Start date and time:	2024-11-07 18:51:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	JR2xwuR1Zc.msi renamed because original name is a hash value
Original Sample Name:	02d2fad62243855f97f71396e6f9e868b9fd58fc.msi
Detection:	MAL
Classification:	mal80.evad.winMSI@43/36@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 14 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: JR2xwuR1Zc.msi

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSI6754.tmp	rs8dpaIe6D.msi	Get hash	malicious	UltraVNC	Browse
	Bill Details.exe	Get hash	malicious	UltraVNC	Browse
	Bill Details.exe	Get hash	malicious	UltraVNC	Browse

Created / dropped Files

C:\Config.Msi\706487.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	10638
Entropy (8bit):	5.688952590407742
Encrypted:	false
SSDEEP:	192:9D9mAC5aWeqhgcZaLj2IeaLj2UN/petz0lsNKw8py2obfdJQqam:9DrCIOghLjfLj5N/gtz0lsNKo2obfdmm
MD5:	4281D90FFE52901D990844430FE22C75
SHA1:	360DFB2C6CC517F777C1863EFDD5DABECC4130B7
SHA-256:	A302EE0358D83BD918AC4D52C1B11EDD71FC4CFB5F3CE13E1DFCD4959856988E
SHA-512:	02837377E78AC086A8A5252D0798DA9365E935E2D7E2B68DCDD476D398617C86F641D3657E1490893C352C84E2E9A41D502D91DF4704A4CAA7C5AAEE76EAEF81
Malicious:	false
Preview:	...@IXOS.@.....@.fgY.@.....@.....@.....@.....@.....@......&.{9E710E79-8D32-42A7-AA5F-53972FD29A8B}..SpecterX File Handler..JR2xwuR1Zc.msi.@.....@.....@.....@......SpecterX.exe..&.{F1243E8D-F939-40FE-AC0C-8FE3980DB245}.....@.....@.....@.....@.......@.....@.....@.......@......SpecterX File Handler......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B0903070-F743-42E5-BD74-588E7BD3F60D}&.{9E710E79-8D32-42A7-AA5F-53972FD29A8B}.@......&.{B30D818C-F60A-4733-BE50-133D7F0105C3}&.{9E710E79-8D32-42A7-AA5F-53972FD29A8B}.@......&.{74B63B73-76F2-4FD4-8FA8-05C21A4EDFDE}&.{9E710E79-8D32-42A7-AA5F-53972FD29A8B}.@......&.{5FFFA3D1-72B5-4DFD-A89F-4219284CB17B}&.{9E710E79-8D32-42A7-AA5F-53972FD29A8B}.@......&.{2239D04D-78CC-4F5A-B889-B500291C7B48}&.{9E710E79-8D32-42A7-AA5F-53972FD29A8B}.@......&.{5FC0E55F-6EC1-4A17-8CEC-95E1CBD78CD2}&.{9E710E79-8D32-42A7-AA5F-53972FD29A8B}.@......&.{7BC7158E-06E9-436D-BC42-8152

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SpecterXInstaller.exe.log

Download File

Process:	C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	3941
Entropy (8bit):	5.356553387329319
Encrypted:	false
SSDEEP:	96:iqbYqGSI6ozajtIzQ0cxYsAmSvBjwQYrKxmDRtzHeqKkCq10tpDuqDqG:iqbYqGcRIzQ0JyZtzHeqKkCq10tpDuq7
MD5:	AA9118DA86993A2DCD77BDD1FD358EF2
SHA1:	FEFFBA2362857A2E31500B0F423E7B3A2BC359F0
SHA-256:	721694289211AFA66B607012BF3FEFEFB260CB0074E345B4030786F36F536BD8
SHA-512:	82681D8B4AACAC926CA822EA97AA532632A925458DC75736823F45C478950674AA99A386FD23650787D05DE70C4A13BB53BF652266F966E1B8616F7FE5C3C9CA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"Microsoft.PowerShell.Commands.Diagnostics, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\37a5ed6e6a6a48d370ee34b13c3e2b37\Microsoft.PowerShell.Commands.Diagnostics.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral

C:\Users\user\AppData\Local\SpecterX\SetDefault.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	60928
Entropy (8bit):	5.349516827795727
Encrypted:	false
SSDEEP:	768:majGavNHz6SkeWWHzkt7E4BIyryrqXXS2MgTd0ItBa:mFaJz6OWWHzSw4TyrGMgva
MD5:	D3164DF7E7B1C2F7C61A04210902F642
SHA1:	2486D0AA13616F8A17736398C0172163A09D789B
SHA-256:	791DC39F7BD059226364BB05CF5F8E1DD7CCFDAA33A1574F9DC821B2620991C2
SHA-512:	45C68CC0B881A6CC02790004E6CAB47FB09CEC57CBA7A52041857EEF968790D69427AD5A67B7E80D3C4FCB51B0F6997DE2187A98587B0A4155D4FE7B2E2B003A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................<...................P....@..........................@......]J........ .........................................0...........................................................................................................text...T:.......<..................`.P`.data...0....P.......@..............@.0..rdata.......`.......B..............@.`@.bss.........p........................`..idata...............R..............@.0..CRT....4............^..............@.0..tls.... ............`..............@.0..rsrc...0............b..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\SpecterX\SpecterX.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 1 icon, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
Category:	dropped
Size (bytes):	7894
Entropy (8bit):	7.9310342174356
Encrypted:	false
SSDEEP:	192:A0pd92jpNe4/jVdgZRD6dm7FwQsZojMAkZDe9u5gcW8jd:7Ge4ZM6oiZojkZ8GgcW8jd
MD5:	7B88FD38BB262A349E07D2913F3B4A29
SHA1:	26E8573821120397278B95F291F3C8240724B149
SHA-256:	869AEAC9DC34B00F7368CC7A4BB93AFC4110BE0DD2073D636E32B748D9A450C4
SHA-512:	03FC5896880AC4C8931EA7FC9F92A5CC6B427E3F1F3D2CE505E3E5B01AC09CA1E2D269715FF1A921D957F110A0C33403717ABDB3C690DB5EB9AD6E343D62BE50
Malicious:	false
Preview:	............ ..........PNG........IHDR.............\r.f....orNT..w....zIDATx....T..._.. K..{.{z.f..a..7...a.T.1...../.'..$...!......5.1HL0...1.`P ..%.2{...".,.o.....:9........[uK.c.a40.......bJ.2.).4..@....d...)......@.el..3.p{.._b..7jj.I ..B........$/.....5...............M....1....p.P./^....AL..g......HJO.?..a.0.R`...../..a.0.R.f.)^..ehU...&....K..@Tx._....`... ....g....x..........UN....t....J~...T...~..t......Q]...Y......,.6.]..o.?..X..U..z.Wc.9.B6.L...%..nZd./.?.r....GP..ry6.........#.{U.....%a.l...P......K.Y..;,\|v..e.M.K.tX..F.o....P.R............C....C..p..V....o.vHA.o....>..-z.2.J$K.....s.'...^.#2.O.^.2..K.z...p..<...mIa....r(..(\.\.....2...R..P....%3.6 .N.....]...s..Y.Y(.l)0.......>..../c]E.j.@.4.D..%;...`UU...$.l..Te...P8..>qx...? ..Ke....M..u(..`..K\|\...=.#.....$.....f..Cn.?...v.UM.....\...<%?4..,k\o....`..u..I.o..#...J.............^..u._VVc..e^.p..nS.5c.......uE....Z.9...C..{.M._.....WXcg....`d......G......~p.e..SW.v.{..U.M.o..

C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler-Interactive.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	6.383136600270201
Encrypted:	false
SSDEEP:	768:GmQZqx1lYcJHNP1dvvqgZx4VrwXTe+POyXbOfq1tk6BJNGe4+6o0ojHhc:G0lYqv/n4VM9tbOV6BJI7J
MD5:	C0717B4A5B1CA150037D5B389F20F0FC
SHA1:	5AA35833E9C7FDBEAFF22DC05C1D11E3110A9CE4
SHA-256:	3E016DB7937B13728D68076C57E0F2B9091D14B2A2A39DABEA1427F09249F4B4
SHA-512:	A277A048AD4F7D84F582FBF7655A2FD0BEDA6565149CB2F9DE49A2A6504A17026FFA15E72A45BF4BFDA18E19EA9A8AB8BA2391E68D00CFFB7018C7910D6F2EF4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....$g.....................(.......... ........@.. ....................... ............@.....................................S........$........................................................................... ............... ..H............text........ ...................... ..`.rsrc....$.......&..................@..@.reloc..............................@..B.......................H.......Hc..PM......x....L...............................................0..........r...p ....s...... ....s..............(....-....}.....(....-....}.......(...+}............_.3... ....`....._.3... ....`.....~...... ..... ........(........-0s.........o....}!......o....}".....r...p}#........(......~....}!....~....}"....~....}#....(......{$..."..}$....x.2s....."..s............0..S........{'...,..{'...o......}'....s....}'....{'...#........o.....{'....o.....{'....o..

C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	47104
Entropy (8bit):	6.378331988707984
Encrypted:	false
SSDEEP:	768:SmQZqx1lYcJHNP1d3fbVi1UOB7iYXbOfq1skBXTxEGe4+6o0ojHhc:S0lYufBG79bOaBXTxN7J
MD5:	AFA5F95409CFC2F6781EFFE5FA412BBC
SHA1:	CB1FB79843474D1323F93EC086DD8798BF41F400
SHA-256:	EF9EC902EC5365CBBE13153ED80619BD2B2A48498FC38646E6E5EB705F415754
SHA-512:	69323C1759DA93F546AC8CE521A5D0E9194D1AD617C92A22D5988370D3CC2392643EC7CF3BFA3160EC19C9F767BB10803A9989102384519BE82244E6AA559773
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....$g.....................(.......... ........@.. ....................... ............@.....................................O.......p$........................................................................... ............... ..H............text....... ...................... ..`.rsrc...p$.......&..................@..@.reloc..............................@..B.......................H.......t_..(M......x....L...............................................0..........r...p ....s...... ....s..............(....-....}.....(....-....}.......(...+}............_.3... ....`....._.3... ....`.....~...... ..... ........(........-0s.........o....}!......o....}".....r...p}#........(......~....}!....~....}"....~....}#....(......{$..."..}$....x.2s....."..s............0..S........{'...,..{'...o......}'....s....}'....{'...#........o.....{'....o.....{'....o..

C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	6.465348160012466
Encrypted:	false
SSDEEP:	768:XEHCM/PpXgpn42xA6DoEM41v1gbVkhgm3HrQuEGe4+6o0ojHhc:XEH13VgpntncOhX37N7J
MD5:	5B1E82809D1A6912D6079420ADA3755F
SHA1:	0FA2E73DE1E8FFA7FC99F9A833BD42C00D9A1BCE
SHA-256:	66E957B0A19C63CD1627FB2F42C34DEE2D0D183FE85C9E3E5B1856450BE5FF9C
SHA-512:	6D13F9717FD0739F2EF4A9A427AE48DA8F389D25C1100DDFECD8A10DF0169A3A4B7C1D2EFFEF43E892F6607812925505D505CC2CB9205C65048AE2C4A6413EC0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....$g.................l...(........... ........@.. ....................................@.................................H...S.......h$........................................................................... ............... ..H............text....k... ...l.................. ..`.rsrc...h$.......&...n..............@..@.reloc..............................@..B........................H........N..\<......c....<..\............................................(......(.....("...,..x.2s....(....(....s....f..(....(......(....(....B(....(....s....f..(....(......(....(.....(......(....b(!...-.+..(....&( ...-..(!.....(".......0............(.......(#.....($...Y.X..(%.....(&...Y.Xs'................(%.....(&...Y.Xh}........(#.....($...Y.Xh}..................}.......}...................(&...h}........($...h}........(%...h}........(#...h}..............(....&

C:\Users\user\AppData\Local\SpecterX\SpecterXUninstaller.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	6.371960098584682
Encrypted:	false
SSDEEP:	768:pmQZqx1lYcJHNP1dqf9LwojcGVv+UOB7i5XbOfq1LkiqxTGe4+6o0ojHhc:p0lYvfJwojcGVvo7EbOLiqxi7J
MD5:	17406A18099ED55F42E0D4F59BB704D7
SHA1:	82055B51D9DB2B6EC1D9A142B16C5E7CDBB241A5
SHA-256:	3276A880B0499CE0D5B90F09AC7918C7A57E826C9AA0BBE5523E2310BEF3A941
SHA-512:	B7BF804F60CF01A1FCA8A6A2B12B1AF61FB9B6AB15C82B307ECDF4244DAE69EBA414821A17FC333324E29012EFD13C477E68170B9780F577927784FECE881920
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....$g.....................(........... ........@.. ....................... ............@....................................S.......p$........................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...p$.......&..................@..@.reloc..............................@..B........................H........\...L......x....L..;............................................0..........r...p ....s...... ....s..............(....-....}.....(....-....}.......(...+}............_.3... ....`....._.3... ....`.....~...... ..... ........(........-0s.........o....}!......o....}".....r...p}#........(......~....}!....~....}"....~....}#....(......{$..."..}$....x.2s....."..s............0..S........{'...,..{'...o......}'....s....}'....{'...#........o.....{'....o.....{'....o..

C:\Users\user\AppData\Local\SpecterX\config.xml

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	166
Entropy (8bit):	4.949113137896379
Encrypted:	false
SSDEEP:	3:vFWWMNHU8LdgCzMvH42WEpAQ9bu0SAQ9bovOWEvJAASMLCLBJIkKUJI8db:TMVBdTMasAQA0SAQIrqjeLBGk/uGb
MD5:	A0055D74017769DF6B6C944BCA77B13E
SHA1:	77BEECDFB527800AB723FE360861AF43B8E982A6
SHA-256:	CC91B2E733BEE6379036E7CDB9980DCA76DB667F92C8787FC82C1C80430F66FE
SHA-512:	5CA0A1EF938089FEC925D02CA2EAD714910788F7183D42A966FD34B2FA54DA53E499306BC497B2A30D6E0AFAA72B52197ECB6821144B7385EED290F294CE3E20
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" ?>..<config>.. <MiragePathName>spx</MiragePathName>.. <MirageViewerPrefix>spx-viewing.d8200.mil</MirageViewerPrefix>..</config>

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adylwiy0.ylc.psm1

Download File

Process:	C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpg5mjpn.mly.ps1

Download File

Process:	C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Installer\{9E710E79-8D32-42A7-AA5F-53972FD29A8B}\SpecterX.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 1 icon, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
Category:	dropped
Size (bytes):	7894
Entropy (8bit):	7.9310342174356
Encrypted:	false
SSDEEP:	192:A0pd92jpNe4/jVdgZRD6dm7FwQsZojMAkZDe9u5gcW8jd:7Ge4ZM6oiZojkZ8GgcW8jd
MD5:	7B88FD38BB262A349E07D2913F3B4A29
SHA1:	26E8573821120397278B95F291F3C8240724B149
SHA-256:	869AEAC9DC34B00F7368CC7A4BB93AFC4110BE0DD2073D636E32B748D9A450C4
SHA-512:	03FC5896880AC4C8931EA7FC9F92A5CC6B427E3F1F3D2CE505E3E5B01AC09CA1E2D269715FF1A921D957F110A0C33403717ABDB3C690DB5EB9AD6E343D62BE50
Malicious:	false
Preview:	............ ..........PNG........IHDR.............\r.f....orNT..w....zIDATx....T..._.. K..{.{z.f..a..7...a.T.1...../.'..$...!......5.1HL0...1.`P ..%.2{...".,.o.....:9........[uK.c.a40.......bJ.2.).4..@....d...)......@.el..3.p{.._b..7jj.I ..B........$/.....5...............M....1....p.P./^....AL..g......HJO.?..a.0.R`...../..a.0.R.f.)^..ehU...&....K..@Tx._....`... ....g....x..........UN....t....J~...T...~..t......Q]...Y......,.6.]..o.?..X..U..z.Wc.9.B6.L...%..nZd./.?.r....GP..ry6.........#.{U.....%a.l...P......K.Y..;,\|v..e.M.K.tX..F.o....P.R............C....C..p..V....o.vHA.o....>..-z.2.J$K.....s.'...^.#2.O.^.2..K.z...p..<...mIa....r(..(\.\.....2...R..P....%3.6 .N.....]...s..Y.Y(.l)0.......>..../c]E.j.@.4.D..%;...`UU...$.l..Te...P8..>qx...? ..Ke....M..u(..`..K\|\...=.#.....$.....f..Cn.?...v.UM.....\...<%?4..,k\o....`..u..I.o..#...J.............^..u._VVc..e^.p..nS.5c.......uE....Z.9...C..{.M._.....WXcg....`d......G......~p.e..SW.v.{..U.M.o..

C:\Windows\Installer\706485.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {F1243E8D-F939-40FE-AC0C-8FE3980DB245}, Number of Words: 10, Subject: SpecterX File Handler, Author: SpecterX LTD, Name of Creating Application: SpecterX File Handler (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install SpecterX File Handler. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 1 00:27:47 2024, Last Saved Time/Date: Fri Nov 1 00:27:47 2024, Last Printed: Fri Nov 1 00:27:47 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	1673216
Entropy (8bit):	6.7790440848
Encrypted:	false
SSDEEP:	24576:7eyxFN+sbcNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwudeo:7eIgNkyRmopy4duG/8Wea/xwu
MD5:	1971AC3B27B03EC10123694019A2B2DB
SHA1:	02D2FAD62243855F97F71396E6F9E868B9FD58FC
SHA-256:	A59D8DD20DA457473A30A69C890A3689D0BFE8DE3F2FD6CDF2007143E71CEE32
SHA-512:	CDDB91F1EEB56CF9C07BA5EA5637C731A1827C9DC1BDEC1FFE7603C7DE54DE50A08C3A9A4B996A52C03F3D002C96AC03AD426A89BC9E88A84933D8EC196C54DE
Malicious:	false
Preview:	......................>.......................................................E.......b.......n...........................................................................................................................................................................................................................................................................................................................................................................................................................................................#...5........................................................................................... ...!..."...-...2...%...&...'...(...)...*...+...,.........../...0...1...6...3...4...=...?...7...8...9...:...;...<.......>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\706488.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {F1243E8D-F939-40FE-AC0C-8FE3980DB245}, Number of Words: 10, Subject: SpecterX File Handler, Author: SpecterX LTD, Name of Creating Application: SpecterX File Handler (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install SpecterX File Handler. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 1 00:27:47 2024, Last Saved Time/Date: Fri Nov 1 00:27:47 2024, Last Printed: Fri Nov 1 00:27:47 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	1673216
Entropy (8bit):	6.7790440848
Encrypted:	false
SSDEEP:	24576:7eyxFN+sbcNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwudeo:7eIgNkyRmopy4duG/8Wea/xwu
MD5:	1971AC3B27B03EC10123694019A2B2DB
SHA1:	02D2FAD62243855F97F71396E6F9E868B9FD58FC
SHA-256:	A59D8DD20DA457473A30A69C890A3689D0BFE8DE3F2FD6CDF2007143E71CEE32
SHA-512:	CDDB91F1EEB56CF9C07BA5EA5637C731A1827C9DC1BDEC1FFE7603C7DE54DE50A08C3A9A4B996A52C03F3D002C96AC03AD426A89BC9E88A84933D8EC196C54DE
Malicious:	false
Preview:	......................>.......................................................E.......b.......n...........................................................................................................................................................................................................................................................................................................................................................................................................................................................#...5........................................................................................... ...!..."...-...2...%...&...'...(...)...*...+...,.........../...0...1...6...3...4...=...?...7...8...9...:...;...<.......>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI6754.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: rs8dpaIe6D.msi, Detection: malicious, Browse Filename: Bill Details.exe, Detection: malicious, Browse Filename: Bill Details.exe, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI67C2.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI6811.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI6851.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI68A0.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI68FF.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	12168
Entropy (8bit):	7.575415852278869
Encrypted:	false
SSDEEP:	192:sD9m+lK6p858/g6FPfsKMZR10pd92jpNe4/jVdgZRD6dm7FwQsZojMAkZDe9u5gy:sDjVp5/dPfsKMZReGe4ZM6oiZojkZ8G1
MD5:	2376992FAE26A52CAD53644967A82044
SHA1:	484533A34E395A439B80FDDB7CC6BD1FBC91962F
SHA-256:	BDEEC81232F875EDE0025C8D71ED8A6C627C29EE441C1505552F86A1CE4023F3
SHA-512:	9608FBB7E1AF67DEF33F73F76ED1E1BA3A2E8848D75A3216D9DF62ACE1C80DD4CEFF614813457712B5116592F2C4C32383AD7BF71F1E79366F29D89D1CFEC41D
Malicious:	false
Preview:	...@IXOS.@.....@.fgY.@.....@.....@.....@.....@.....@......&.{9E710E79-8D32-42A7-AA5F-53972FD29A8B}..SpecterX File Handler..JR2xwuR1Zc.msi.@.....@.....@.....@......SpecterX.exe..&.{F1243E8D-F939-40FE-AC0C-8FE3980DB245}.....@.....@.....@.....@.......@.....@.....@.......@......SpecterX File Handler......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B0903070-F743-42E5-BD74-588E7BD3F60D}).C:\Users\user\AppData\Local\SpecterX\.@.......@.....@.....@......&.{B30D818C-F60A-4733-BE50-133D7F0105C3}7.01:\Software\SpecterX LTD\SpecterX File Handler\Version.@.......@.....@.....@......&.{74B63B73-76F2-4FD4-8FA8-05C21A4EDFDE}3.C:\Users\user\AppData\Local\SpecterX\config.xml.@.......@.....@.....@......&.{5FFFA3D1-72B5-4DFD-A89F-4219284CB17B}7.C:\Users\user\AppData\Local\SpecterX\SetDefault.exe.@.......@.....@.....@......&.{2239D04D-78CC-4F5A-B889-B500291C7B48}@

C:\Windows\Installer\SourceHash{9E710E79-8D32-42A7-AA5F-53972FD29A8B}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1641235125182
Encrypted:	false
SSDEEP:	12:JSbX72Fj+AGiLIlHVRpZh/7777777777777777777777777vDHFm8ow8uxKit/lN:JwQI5tk8RxbiF
MD5:	A21EA4D7877BDB9C70C0C7350D17A567
SHA1:	B786E43766E444E53F85DA8479590103037C5754
SHA-256:	1E68D7F2315A4BC75BE1971A2D4BD7A395229CE45C7E5F8A6F2F139F6F4D1FFC
SHA-512:	7EEBCC2A447383ECAE71A269F8E2E6F4696BFDAD9CBABACAA8A72A591827D8158809AFAE738AE615DE6273A4292DD67329C4FA8B2411F8D5E95C070FA131D99F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.526686641342737
Encrypted:	false
SSDEEP:	48:p8PhwuRc06WXJSFT5OV6b72y3SyyZAEbCyAUKy3SyytT9j6B:khw1JFTfD3EawCNu3En6
MD5:	B16323753C611BE676E09C94395A62E0
SHA1:	3055A2CD3A2166013C58848CFA3F45EA47E5BFBA
SHA-256:	C72737547CD31EA000B3971430F865BFB59D57BB4E8D3354BC74F5CECE094B74
SHA-512:	1605AE66BC84E46C5E62318180ED44F75B39C5FD5CD59DD3D2A9BEC2421C286A60F791F1DDB4080A25DA9A7A83C4A3DD1689B901F17D4F7EFDF10528F30597B6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362991500026604
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauB:zTtbmkExhMJCIpEI
MD5:	6A07057021E5C4AF34085344A122AC02
SHA1:	6EA7FF4CF99B96DB9E53F05E7284F99836F24989
SHA-256:	38ED1405562E3528B5CBBBFD9A7F0B8104514D2D40117C40B8E42CEAFEAFA41B
SHA-512:	9E4FCB49DC80FFCB69872C2BB8381FE4A617EB6E601D7FA60A4178B2E946F43DB86BA8CCBFE65AD13C64ADAE6939CFF88FF225F943147DFCC32CD8E2EEDBA695
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF17DC2178A4B013A1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF19428732D2B4C6EE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2751A7C03E38024A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2261825491030829
Encrypted:	false
SSDEEP:	48:Tb4uLO+CFXJjT50V6b72y3SyyZAEbCyAUKy3SyytT9j6B:X4v7TlD3EawCNu3En6
MD5:	484269F4CF3A5C89B9473842CD05D3AD
SHA1:	454E816FD2056C3A5F6E464C7C702094EEA79520
SHA-256:	5DFD728FD398C2A601479F5C83CFB4E61204BFCD65A27E2BDB19FFDDD0EB882D
SHA-512:	FD9342C330E550FD28AF15C9ABBD0C2393C3D08303730A17BD62C54A47D9658F894AA8273B3E7B031118FD4FC7C3A7A8111A24E74236554438BD85AD243F6A4D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF54B23C9708FC3BF1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.526686641342737
Encrypted:	false
SSDEEP:	48:p8PhwuRc06WXJSFT5OV6b72y3SyyZAEbCyAUKy3SyytT9j6B:khw1JFTfD3EawCNu3En6
MD5:	B16323753C611BE676E09C94395A62E0
SHA1:	3055A2CD3A2166013C58848CFA3F45EA47E5BFBA
SHA-256:	C72737547CD31EA000B3971430F865BFB59D57BB4E8D3354BC74F5CECE094B74
SHA-512:	1605AE66BC84E46C5E62318180ED44F75B39C5FD5CD59DD3D2A9BEC2421C286A60F791F1DDB4080A25DA9A7A83C4A3DD1689B901F17D4F7EFDF10528F30597B6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5959062543879A75.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.12363344581499193
Encrypted:	false
SSDEEP:	24:1lzI6jzTxIy3ipVIypIy3ipVIyZAEVkyjCyAUVgwGQWz88+ophCDV8:1BJjzT+y3SyyWy3SyyZAEbCyAUE/bmV
MD5:	D4A493496C65046B7E7DE956D802CA21
SHA1:	BB86619612F7AF01C51C5F0D4F201852BD55EFDA
SHA-256:	FD62C1BCE9E2E55A7DD53F341A9D9DB5C8BFF5A64F1544D1248CC979A7AB14B8
SHA-512:	DF78F93F71F7138FF2E8BF0A9352876C71E261E46FFDE688F5814E6815D111C010EF3D077B539F0BB1D412E295CA091558CB015930D9C4E700EF2A8085CC9A9F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF62ABC72850DEB1DE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2261825491030829
Encrypted:	false
SSDEEP:	48:Tb4uLO+CFXJjT50V6b72y3SyyZAEbCyAUKy3SyytT9j6B:X4v7TlD3EawCNu3En6
MD5:	484269F4CF3A5C89B9473842CD05D3AD
SHA1:	454E816FD2056C3A5F6E464C7C702094EEA79520
SHA-256:	5DFD728FD398C2A601479F5C83CFB4E61204BFCD65A27E2BDB19FFDDD0EB882D
SHA-512:	FD9342C330E550FD28AF15C9ABBD0C2393C3D08303730A17BD62C54A47D9658F894AA8273B3E7B031118FD4FC7C3A7A8111A24E74236554438BD85AD243F6A4D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFADA6396F56966F15.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBBC7E8269C47E057.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC24837251C278CEA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07152587750021984
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKObCvUI5wSPCx0IRltgVky6lit/:2F0i8n0itFzDHFm8ow8uxRbit/
MD5:	5D81E7880BC5891717920CBC1046957A
SHA1:	99B51483DA3A470FB37670EC00ECF5CD765CCE82
SHA-256:	8B52A323440DB337EFF9EFE57C010CF1D2888AA55DCAC033BE523E5E896E15D8
SHA-512:	2B48DC53693718AEDC10FA8EC8A4E3D78B148F8FD7D3E8E72EFE04AEABA3A3EF16DB90416980C397C605949295E7A74312EB634206A338D6749A207E110242DB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD2F697E27B4B909B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.526686641342737
Encrypted:	false
SSDEEP:	48:p8PhwuRc06WXJSFT5OV6b72y3SyyZAEbCyAUKy3SyytT9j6B:khw1JFTfD3EawCNu3En6
MD5:	B16323753C611BE676E09C94395A62E0
SHA1:	3055A2CD3A2166013C58848CFA3F45EA47E5BFBA
SHA-256:	C72737547CD31EA000B3971430F865BFB59D57BB4E8D3354BC74F5CECE094B74
SHA-512:	1605AE66BC84E46C5E62318180ED44F75B39C5FD5CD59DD3D2A9BEC2421C286A60F791F1DDB4080A25DA9A7A83C4A3DD1689B901F17D4F7EFDF10528F30597B6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD857F6F80C17B7E8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE0577EB687810BE6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2261825491030829
Encrypted:	false
SSDEEP:	48:Tb4uLO+CFXJjT50V6b72y3SyyZAEbCyAUKy3SyytT9j6B:X4v7TlD3EawCNu3En6
MD5:	484269F4CF3A5C89B9473842CD05D3AD
SHA1:	454E816FD2056C3A5F6E464C7C702094EEA79520
SHA-256:	5DFD728FD398C2A601479F5C83CFB4E61204BFCD65A27E2BDB19FFDDD0EB882D
SHA-512:	FD9342C330E550FD28AF15C9ABBD0C2393C3D08303730A17BD62C54A47D9658F894AA8273B3E7B031118FD4FC7C3A7A8111A24E74236554438BD85AD243F6A4D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13688
Entropy (8bit):	4.982318342318726
Encrypted:	false
SSDEEP:	192:zcoQBBW1IW1u1W10W1bW1zW1jW1N1W1RW1oW10W1WPW1g1W1+W1tW1ZW1LW1J1WA:2dOjTCoQK
MD5:	E1F0752E6934FE10011D9F5F41CC3273
SHA1:	DB96B8B0D2E4DDE77B814FFB0BE771B56FAD2AEA
SHA-256:	1E61D3A2D7BF126DF64D84C9E5710329B23271503322174E2B20CDAB8575FBB8
SHA-512:	F261BF1575F3B084879D5BF60B03BA5B3A6190B564FE1320AF9979BCC7A9472B27FE5403DDA1FC752C0A877E8F667A28516B0D669DF59D72C771CD55D4E824D5
Malicious:	false
Preview:	..Name Used (GB) Free (GB) Provider Root CurrentLocation..---- --------- --------- -------- ---- ---------------..HKCUCla... Registry HKEY_CURRENT_USER\Software\Classes ....Property : {}..PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\SpecterXHandler.docx..PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes..PSChildName : SpecterXHandler.docx..PSDrive : HKCUClasses..PSProvider : Microsoft.PowerShell.Core\Registry..PSIsContainer : True..SubKeyCount : 0..View : Default..Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle..ValueCount : 0..Name : HKEY_CURRENT_USER\Software\Classes\SpecterXHandler.docx......Property : {}..PSPath : Microsoft.PowerShell.Core\Registry:

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {F1243E8D-F939-40FE-AC0C-8FE3980DB245}, Number of Words: 10, Subject: SpecterX File Handler, Author: SpecterX LTD, Name of Creating Application: SpecterX File Handler (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install SpecterX File Handler. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 1 00:27:47 2024, Last Saved Time/Date: Fri Nov 1 00:27:47 2024, Last Printed: Fri Nov 1 00:27:47 2024, Number of Pages: 450
Entropy (8bit):	6.7790440848
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	JR2xwuR1Zc.msi
File size:	1'673'216 bytes
MD5:	1971ac3b27b03ec10123694019a2b2db
SHA1:	02d2fad62243855f97f71396e6f9e868b9fd58fc
SHA256:	a59d8dd20da457473a30a69c890a3689d0bfe8de3f2fd6cdf2007143e71cee32
SHA512:	cddb91f1eeb56cf9c07ba5ea5637c731a1827c9dc1bdec1ffe7603c7de54de50a08c3a9a4b996a52c03f3d002c96ac03ad426a89bc9e88a84933d8ec196c54de
SSDEEP:	24576:7eyxFN+sbcNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwudeo:7eIgNkyRmopy4duG/8Wea/xwu
TLSH:	DC759C21B287C52AE1AD01B7E929FE1E153DAE67073005D7B3F4799E5D708C1A27EB02
File Content Preview:	........................>.......................................................E.......b.......n..............................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	1
Start time:	12:52:17
Start date:	07/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\JR2xwuR1Zc.msi"
Imagebase:	0x7ff6c24d0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:52:18
Start date:	07/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6c24d0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	12:52:20
Start date:	07/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 7CA20F3CA1CD12A009BAB9C2F5093193
Imagebase:	0x640000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:52:21
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe"
Imagebase:	0xba0000
File size:	38'400 bytes
MD5 hash:	5B1E82809D1A6912D6079420ADA3755F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:52:21
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:52:26
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vssx SpecterXHandler.vsdx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:52:26
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:52:27
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .xls SpecterXHandler.xlsx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:52:27
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:52:28
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .xlsx SpecterXHandler.xlsx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:52:28
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:52:29
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vstm SpecterXHandler.vsdx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:52:29
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:52:30
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vstx SpecterXHandler.vsdx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:52:30
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:52:31
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vsdx SpecterXHandler.vsdx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:52:31
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:52:33
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vssm SpecterXHandler.vsdx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:52:33
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:52:34
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .doc SpecterXHandler.docx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:52:34
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:52:35
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .pptx SpecterXHandler.pptx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:52:35
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:52:36
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .docx SpecterXHandler.docx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:52:36
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:52:37
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .ppt SpecterXHandler.pptx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:52:37
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:52:38
Start date:	07/11/2024
Path:	C:\Users\user\AppData\Local\SpecterX\SetDefault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SpecterX\SetDefault.exe" .vsdm SpecterXHandler.vsdx
Imagebase:	0x400000
File size:	60'928 bytes
MD5 hash:	D3164DF7E7B1C2F7C61A04210902F642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:52:38
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD340B09B8 Relevance: 1.3, Instructions: 1254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2378803995.00007FFD340B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd340b0000_SpecterXInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7235d42ddbc0eaaa66d3db89bc637fa4a59c89b1dd0968dda462b2605ee3283
Instruction ID: 9ecfd9bb951faac8237b2528d9ecca5666a610821ce01bea92970b65b5fdef1d
Opcode Fuzzy Hash: b7235d42ddbc0eaaa66d3db89bc637fa4a59c89b1dd0968dda462b2605ee3283
Instruction Fuzzy Hash: 49926231B189198FEBA8EB6CC4A5A6973E1FF59301F5000B9D00ED72A2DE79EC41DB45

Function 00007FFD340B501C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 00007FFD340B50B5

Memory Dump Source

Source File: 00000004.00000002.2378803995.00007FFD340B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd340b0000_SpecterXInstaller.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 31cfdc4268bc033905bd7ef8593e74d68dc4ef8c5f83f41e644ff0b9dd7ccec0
Instruction ID: 455fb58ddea0e919c1e21bf0b7c6344e086b7240d00dbadd1b46cd049be96b4b
Opcode Fuzzy Hash: 31cfdc4268bc033905bd7ef8593e74d68dc4ef8c5f83f41e644ff0b9dd7ccec0
Instruction Fuzzy Hash: 0B31E530A0CA4C8FDB59DBA8C8567E9BBF0FB56320F00426FD049C3592CB64A816CB91

Function 00007FFD34180B6F Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2379086834.00007FFD34180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34180000_SpecterXInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890cdfd917b6c4f8dfdb3915d86033d73acac69d058a64a28dc52da59d9c929a
Instruction ID: b30f78b99ce113d6e277b68cfc6c3e0d0a10078f2ff8e284c6005f1f526919ff
Opcode Fuzzy Hash: 890cdfd917b6c4f8dfdb3915d86033d73acac69d058a64a28dc52da59d9c929a
Instruction Fuzzy Hash: CF31C432B0DB9A4FEBA9EB6850A15B97BE1FF86314F0500BED14DD7193CE2DA8018354

Function 00007FFD34181ACF Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2379086834.00007FFD34180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34180000_SpecterXInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5c2bfbe1ffb6ec233a06330405601c6160adf500f96f5b3b55d635cfd275f9
Instruction ID: 3c411040779a94b8cb4cfccc635bd93dea94b81085abf777c64e50a08a79483e
Opcode Fuzzy Hash: 3d5c2bfbe1ffb6ec233a06330405601c6160adf500f96f5b3b55d635cfd275f9
Instruction Fuzzy Hash: 7031A433B0DA9A4FEBE5AB5890A55B977E1EF86310F0800BED54DD7183DE1DA801C354

Non-executed Functions

Function 00007FFD340B3C2F Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2378803995.00007FFD340B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd340b0000_SpecterXInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010a030633ee11886c23d4f3c9f91cd877fdba3da5e9a005b096cc15af451c34
Instruction ID: 1bf0887ee10012d7d6ae55def432b7c803671f74b7b293b7f90c885f215c855a
Opcode Fuzzy Hash: 010a030633ee11886c23d4f3c9f91cd877fdba3da5e9a005b096cc15af451c34
Instruction Fuzzy Hash: B271B35BB0D7D25AE763527C6CB60D57FE0EF5337572900B3C284CA083ADAD980AA356

Function 00007FFD340B77FB Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2378803995.00007FFD340B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd340b0000_SpecterXInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60a6d2664d408041dcf29af1742c7b8628261bcfc9038036a627f0f6c420701
Instruction ID: 13e731784fde6b7897f5cbe522c9ee0d6892aaa9eb718cb3c179e732d1d8e65e
Opcode Fuzzy Hash: c60a6d2664d408041dcf29af1742c7b8628261bcfc9038036a627f0f6c420701
Instruction Fuzzy Hash: 5D418256B4E7D21AE753573C18B50E53F60EF6322474A02F7CAC4CB193DD4D980AE265

Analysis Process: SetDefault.exePID: 4892, Parent PID: 1220COMMON

Execution Graph

Execution Coverage:	17%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.5%
Total number of Nodes:	424
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004026A0 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 342
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegDeleteKeyA.ADVAPI32 ref: 004026EC
RegCreateKeyExA.KERNELBASE ref: 0040273A
puts.MSVCRT ref: 00402752

Part of subcall function 00402570: RegOpenKeyExA.KERNELBASE ref: 0040259D
Part of subcall function 00402570: RegQueryInfoKeyA.ADVAPI32 ref: 0040260E
Part of subcall function 00402570: FileTimeToSystemTime.KERNEL32 ref: 0040261E
Part of subcall function 00402570: SystemTimeToFileTime.KERNEL32 ref: 0040263A
Part of subcall function 00402570: RegCloseKey.ADVAPI32 ref: 00402673

Part of subcall function 004023C0: GetCurrentProcess.KERNEL32 ref: 004023F4
Part of subcall function 004023C0: OpenProcessToken.ADVAPI32 ref: 0040240F
Part of subcall function 004023C0: GetTokenInformation.KERNELBASE ref: 00402453
Part of subcall function 004023C0: GetTokenInformation.KERNELBASE ref: 00402485
Part of subcall function 004023C0: LookupAccountSidA.ADVAPI32 ref: 004024D1
Part of subcall function 004023C0: ConvertSidToStringSidA.ADVAPI32 ref: 004024E7

mbstowcs.MSVCRT ref: 004027CA
wcslen.MSVCRT ref: 004027D2
_wcslwr.MSVCRT ref: 004027DE
malloc.MSVCRT ref: 00402889
RegCloseKey.ADVAPI32 ref: 00402AA9

Strings

0a@, xrefs: 00402783
=, xrefs: 00402C31
)a@, xrefs: 00402ACA

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: Time$Token$CloseFileInformationOpenProcessSystem$AccountConvertCreateCurrentDeleteInfoLookupQueryString_wcslwrmallocmbstowcsputswcslen
String ID: )a@$0a@$=
API String ID: 2028010961-4153260733
Opcode ID: ce86d3fdc78952b22e439a4c96b1ae5e955405be6ee3e19da6602756ced6dca5
Instruction ID: 03ac7914e9e341511ab39a6dce87a521f23f3c8702bda7c9c9967043098b55c2
Opcode Fuzzy Hash: ce86d3fdc78952b22e439a4c96b1ae5e955405be6ee3e19da6602756ced6dca5
Instruction Fuzzy Hash: C9F153719093688BEB25DF29C98479DFBF0AF44304F0486EED489A7381DB749A88CF55

Function 00401179 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00401211
SetUnhandledExceptionFilter.KERNEL32 ref: 00401292
malloc.MSVCRT ref: 0040133F
strlen.MSVCRT ref: 00401366
malloc.MSVCRT ref: 00401371
memcpy.MSVCRT ref: 0040138D
GetStartupInfoA.KERNEL32 ref: 00401473

Strings

@1@, xrefs: 00401261

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID: @1@
API String ID: 649803965-1062867696
Opcode ID: 3fc8b3060eb215a5af56e4ebae25485ef26f636af33c802a52dbdba989695c70
Instruction ID: a43b5d0e8aab2e093008daf85e40796155139908f9288821509ad0c888b672fb
Opcode Fuzzy Hash: 3fc8b3060eb215a5af56e4ebae25485ef26f636af33c802a52dbdba989695c70
Instruction Fuzzy Hash: 3B817CB1E082018FD710EF69DA8075A7BE4FB85344F01857EED44BB3A1D778A844DB9A

Function 0040438A Relevance: 70.3, APIs: 35, Strings: 5, Instructions: 348
stringregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 0040439C
CommandLineToArgvW.SHELL32 ref: 004043AF
RegOpenKeyExA.KERNELBASE ref: 004043FF
RegQueryValueExA.KERNELBASE ref: 0040445A
atoi.MSVCRT ref: 00404462
RegQueryValueExA.KERNELBASE ref: 004044A6
RegQueryValueExA.KERNELBASE ref: 004044E2
strcmp.MSVCRT ref: 004044FE
puts.MSVCRT ref: 00404533
strcmp.MSVCRT ref: 00404557
puts.MSVCRT ref: 00404569
wcstombs.MSVCRT ref: 00404590
wcstombs.MSVCRT ref: 004045A7
strcmp.MSVCRT ref: 004045B7
RegDeleteKeyA.ADVAPI32 ref: 0040460A
wcstombs.MSVCRT ref: 0040462F
strcmp.MSVCRT ref: 0040463F
fopen.MSVCRT ref: 00404657
fgets.MSVCRT ref: 0040467F
strtok.MSVCRT ref: 004046E6
strcmp.MSVCRT ref: 0040471A
strcmp.MSVCRT ref: 00404738
strtok.MSVCRT ref: 00404785
strtok.MSVCRT ref: 004047AF
strcmp.MSVCRT ref: 00404808
strcmp.MSVCRT ref: 0040482D
strcmp.MSVCRT ref: 00404845
SHChangeNotify.SHELL32 ref: 004048B5
printf.MSVCRT ref: 004048DC
puts.MSVCRT ref: 004049CF

Strings

e@, xrefs: 0040483A
., xrefs: 004045C4
@, xrefs: 004044B2
@f@, xrefs: 004049E6
., xrefs: 00404815

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: strcmp$QueryValueputsstrtokwcstombs$CommandLine$ArgvChangeDeleteNotifyOpenatoifgetsfopenprintf
String ID: .$.$@$@f@$e@
API String ID: 2451745367-4170836697
Opcode ID: 428e2f03c3a8b8db93ecc0b647d38c83bc36717f18a4277cc64eedf549872dfe
Instruction ID: 8783aa9f8a355cd34b88065cfed41fb77064e6fcd8058681a7b608039e4123fe
Opcode Fuzzy Hash: 428e2f03c3a8b8db93ecc0b647d38c83bc36717f18a4277cc64eedf549872dfe
Instruction Fuzzy Hash: E5F151F05083159BC720AF25D98436EBBF4AF80348F01887EE68967281D77CC985DF5A

Function 00404380 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 97
registrystringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 0040439C
CommandLineToArgvW.SHELL32 ref: 004043AF
RegOpenKeyExA.KERNELBASE ref: 004043FF
RegQueryValueExA.KERNELBASE ref: 0040445A
atoi.MSVCRT ref: 00404462
RegQueryValueExA.KERNELBASE ref: 004044A6
RegQueryValueExA.KERNELBASE ref: 004044E2
strcmp.MSVCRT ref: 004044FE
puts.MSVCRT ref: 00404533
strcmp.MSVCRT ref: 00404557
puts.MSVCRT ref: 00404569
wcstombs.MSVCRT ref: 00404590
wcstombs.MSVCRT ref: 004045A7
strcmp.MSVCRT ref: 004045B7
RegDeleteKeyA.ADVAPI32 ref: 0040460A
wcstombs.MSVCRT ref: 0040462F
strcmp.MSVCRT ref: 0040463F
fopen.MSVCRT ref: 00404657
fgets.MSVCRT ref: 0040467F
strtok.MSVCRT ref: 004046E6
puts.MSVCRT ref: 004049CF

Strings

@, xrefs: 004044B2
Te@, xrefs: 004043F0

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: strcmp$QueryValueputswcstombs$CommandLine$ArgvDeleteOpenatoifgetsfopenstrtok
String ID: @$Te@
API String ID: 4164741573-3026374435
Opcode ID: 98950425c47ac62e6770fd8f2364a079b9e639ecc8997b3054887ece2750aba2
Instruction ID: 32220b5bc8446626c2f2012a3bfec091bc7e020f0229b4e70187ca10948d0537
Opcode Fuzzy Hash: 98950425c47ac62e6770fd8f2364a079b9e639ecc8997b3054887ece2750aba2
Instruction Fuzzy Hash: DB410DF08053159FDB50EF65D94875EBBF4FF80304F0089AEE689A7240D77999888F5A

Function 004023C0 Relevance: 15.1, APIs: 10, Instructions: 100
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 004023F4
OpenProcessToken.ADVAPI32 ref: 0040240F
GetTokenInformation.KERNELBASE ref: 00402453
GetTokenInformation.KERNELBASE ref: 00402485
LookupAccountSidA.ADVAPI32 ref: 004024D1
ConvertSidToStringSidA.ADVAPI32 ref: 004024E7
printf.MSVCRT ref: 00402507
LocalAlloc.KERNEL32 ref: 0040254B

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: Token$InformationProcess$AccountAllocConvertCurrentLocalLookupOpenStringprintf
String ID:
API String ID: 892511574-0
Opcode ID: d66834b20918afac42d46c85198aa894f8910a5b1be3110befaec1eab9b0623f
Instruction ID: d751da2c95dded9e22fdfb686bc1f6b85a60496c220cba8abdd9d20475e57ce5
Opcode Fuzzy Hash: d66834b20918afac42d46c85198aa894f8910a5b1be3110befaec1eab9b0623f
Instruction Fuzzy Hash: B041ECB19043149FCB10EF65D98838EFBF4FF84315F0089AED488A7251EB7495888F96

Function 00402570 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
registrytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 0040259D
RegQueryInfoKeyA.ADVAPI32 ref: 0040260E
FileTimeToSystemTime.KERNEL32 ref: 0040261E
SystemTimeToFileTime.KERNEL32 ref: 0040263A
RegCloseKey.ADVAPI32 ref: 00402673
puts.MSVCRT ref: 0040268F

Strings

$p@, xrefs: 00402679

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: Time$FileSystem$CloseInfoOpenQueryputs
String ID: $p@
API String ID: 2021266425-2581991240
Opcode ID: 246f4c5230f712c0e59325744e55a6a9401e8df4bcb08566e9f23f35927ad1a9
Instruction ID: a44412c639be079ffefa57ed152e5e7faa3507e165b327a2f1c167a4494bedbe
Opcode Fuzzy Hash: 246f4c5230f712c0e59325744e55a6a9401e8df4bcb08566e9f23f35927ad1a9
Instruction Fuzzy Hash: 9531D6B08083099FDB00EFA5D54839EBFF0FF44358F00896DE888A7250D77995488F96

Function 004023B2 Relevance: 9.1, APIs: 6, Instructions: 73
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 004023F4
OpenProcessToken.ADVAPI32 ref: 0040240F
GetTokenInformation.KERNELBASE ref: 00402453
GetTokenInformation.KERNELBASE ref: 00402485
LookupAccountSidA.ADVAPI32 ref: 004024D1
ConvertSidToStringSidA.ADVAPI32 ref: 004024E7
printf.MSVCRT ref: 00402507
LocalAlloc.KERNEL32 ref: 0040254B

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: Token$InformationProcess$AccountAllocConvertCurrentLocalLookupOpenStringprintf
String ID:
API String ID: 892511574-0
Opcode ID: 252316a5d7d580bdd46366a4f4237d2c8dba491e7402719f374b0e5a4dea04bc
Instruction ID: 644458309707ad684d499cc189ab57b8859fe37fc9f9a8ef91d40be7c2034af6
Opcode Fuzzy Hash: 252316a5d7d580bdd46366a4f4237d2c8dba491e7402719f374b0e5a4dea04bc
Instruction Fuzzy Hash: A831DE718043199FCB50DF65D98878AFBF4FF84314F0089AED488A7251EB749688CF95

Function 00402AF9 Relevance: 6.1, APIs: 4, Instructions: 53
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExA.KERNELBASE ref: 00402B6E
strlen.MSVCRT ref: 00402B7C
RegSetValueExA.KERNELBASE ref: 00402BAD
RegCloseKey.KERNELBASE ref: 00402BBB

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: Value$Closestrlen
String ID:
API String ID: 2641137173-0
Opcode ID: c126ce7880f74dc70501113a7896d1df5733dab2b7f81619b3c33a779b076ada
Instruction ID: 3d3a8f13f285c430ef15e382b6df9b9ab45053311c7b8ef291f0b0c0d0d2ec8b
Opcode Fuzzy Hash: c126ce7880f74dc70501113a7896d1df5733dab2b7f81619b3c33a779b076ada
Instruction Fuzzy Hash: 0A1108719046058FE704EF68C98578DB7F0FF84308F4089ADE488E7245DB79A988CF86

Function 0040253C Relevance: 6.0, APIs: 4, Instructions: 45
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 00402485
LookupAccountSidA.ADVAPI32 ref: 004024D1
ConvertSidToStringSidA.ADVAPI32 ref: 004024E7
LocalFree.KERNEL32 ref: 00402519
CloseHandle.KERNEL32 ref: 0040252B
LocalAlloc.KERNEL32 ref: 0040254B

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: Local$AccountAllocCloseConvertFreeHandleInformationLookupStringToken
String ID:
API String ID: 1207806530-0
Opcode ID: ca4944066bd6da7dc61d849fac7b1b2343fca66eaf930dec50635776dcdbfb29
Instruction ID: 9dbd1d594504f93497666f5ff2714cee2844a77f52ce2c798a0338e7630c7353
Opcode Fuzzy Hash: ca4944066bd6da7dc61d849fac7b1b2343fca66eaf930dec50635776dcdbfb29
Instruction Fuzzy Hash: CB11DDB59043199FC750DF68D58868EFBF0FF48310F0089AED488A3211E7749A88CF56

Function 00402A1C Relevance: 3.0, APIs: 2, Instructions: 30
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00402A79
puts.MSVCRT ref: 00402A8D
RegSetValueExA.KERNELBASE ref: 00402B6E
strlen.MSVCRT ref: 00402B7C
RegSetValueExA.KERNELBASE ref: 00402BAD
RegCloseKey.KERNELBASE ref: 00402BBB

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: Value$CloseOpenputsstrlen
String ID:
API String ID: 395390182-0
Opcode ID: b664c9b95a95ad0346b29781e8125cdd00e696894aff834768822329950a5d74
Instruction ID: b8d187f5214a6b5a955d1ae89fd79bdc970732b6045c066155a45adc95d47bc6
Opcode Fuzzy Hash: b664c9b95a95ad0346b29781e8125cdd00e696894aff834768822329950a5d74
Instruction Fuzzy Hash: 86F031B09043049FD710EF65C54434EBBF4EF84354F00C96EE48897241DBB995448F56

Non-executed Functions

Function 00401780 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 004017CB
memcpy.MSVCRT ref: 004017E1
memset.MSVCRT ref: 00401805
malloc.MSVCRT ref: 00401A0D
memcpy.MSVCRT ref: 00401A23

Strings

@, xrefs: 00401946

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: mallocmemcpy$memset
String ID: @
API String ID: 99833469-2766056989
Opcode ID: 18a9f2f54b7c3804af6506720540f8b84cf2560265e67ac9261c22412a4eeefd
Instruction ID: c704dddb39b3fed60ddcf0625ba577d4055e906e90e0474efdca58c1b1bc5afc
Opcode Fuzzy Hash: 18a9f2f54b7c3804af6506720540f8b84cf2560265e67ac9261c22412a4eeefd
Instruction Fuzzy Hash: 6A8173716097408FC311CF2D888065EBBE2AFD5354F4DCA6EE0C99B352D638E909C796

Function 0040158C Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 004015A7
OpenProcess.KERNEL32 ref: 004015C0
OpenProcessToken.ADVAPI32 ref: 004015E0
malloc.MSVCRT ref: 004015FA
LookupAccountNameA.ADVAPI32 ref: 00401642
CheckTokenMembership.ADVAPI32 ref: 00401664
GetLastError.KERNEL32 ref: 00401685
printf.MSVCRT ref: 0040169A
GetLastError.KERNEL32 ref: 004016A8
printf.MSVCRT ref: 004016B9
GetLastError.KERNEL32 ref: 004016C7
printf.MSVCRT ref: 004016D8

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: ErrorLastProcessprintf$OpenToken$AccountCheckCurrentLookupMembershipNamemalloc
String ID:
API String ID: 2350166618-0
Opcode ID: 3b0faa36b393f347d51058b052492042c508baaf29f228957ce98c38411874ce
Instruction ID: 2b906c45ec089b33b958584bdfd409fd0e5085b56160df549a65abf7ece98d14
Opcode Fuzzy Hash: 3b0faa36b393f347d51058b052492042c508baaf29f228957ce98c38411874ce
Instruction Fuzzy Hash: DC21EBB18043199FC750EF64DA447DFBBF4EF44350F0089AEE888A7254EB7499848F86

Function 00403B30 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00403B68
GetCurrentProcessId.KERNEL32 ref: 00403B79
GetCurrentThreadId.KERNEL32 ref: 00403B81
GetTickCount.KERNEL32 ref: 00403B8A
QueryPerformanceCounter.KERNEL32 ref: 00403B99

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 851108c6b6259b2facbd109661269e1a64e5a0895d78f38946da170294d8fe44
Instruction ID: f6c3e8c53bb9a02aa4fa01db30375449be221f4d85175df23b3d18b599b00758
Opcode Fuzzy Hash: 851108c6b6259b2facbd109661269e1a64e5a0895d78f38946da170294d8fe44
Instruction Fuzzy Hash: 9B113476D002188BCF10AFB8EA481CEFBB4FB0C325F05457AD805B7210DA3469548F99

Function 00403BDC Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00403C2F
UnhandledExceptionFilter.KERNEL32 ref: 00403C3F
GetCurrentProcess.KERNEL32 ref: 00403C48
TerminateProcess.KERNEL32 ref: 00403C59
abort.MSVCRT ref: 00403C62

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 76c07a3073f0d67d995d7e9ebc7e6c83229556bc4119ef91ae843a392180844f
Instruction ID: c93e10eb7b46a5cce86e5c747f8fd7142c868c258911e588a02060185b9a1b14
Opcode Fuzzy Hash: 76c07a3073f0d67d995d7e9ebc7e6c83229556bc4119ef91ae843a392180844f
Instruction Fuzzy Hash: 8E01A2B4809604CFD700EFB9EA495097BF0BB08300F00853DE989AB360E774A444CF9A

Function 00403BE0 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00403C2F
UnhandledExceptionFilter.KERNEL32 ref: 00403C3F
GetCurrentProcess.KERNEL32 ref: 00403C48
TerminateProcess.KERNEL32 ref: 00403C59
abort.MSVCRT ref: 00403C62

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 91537667c88ea3bc89070dad38cf917d4b6613f163f1921a76d8a35296654fc0
Instruction ID: 0af807383d623c080b417606dc743c04f722218f3e4514e9a686ac8720fc5d9c
Opcode Fuzzy Hash: 91537667c88ea3bc89070dad38cf917d4b6613f163f1921a76d8a35296654fc0
Instruction Fuzzy Hash: C60180B4909604CFD740EFB9EB496497BF0BB08304F00857DE989AB360EB74A544CF9A

Function 00401590 Relevance: 18.1, APIs: 12, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004015A7
OpenProcess.KERNEL32 ref: 004015C0
OpenProcessToken.ADVAPI32 ref: 004015E0
malloc.MSVCRT ref: 004015FA
LookupAccountNameA.ADVAPI32 ref: 00401642
CheckTokenMembership.ADVAPI32 ref: 00401664
GetLastError.KERNEL32 ref: 00401685
printf.MSVCRT ref: 0040169A
GetLastError.KERNEL32 ref: 004016A8
printf.MSVCRT ref: 004016B9
GetLastError.KERNEL32 ref: 004016C7
printf.MSVCRT ref: 004016D8

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: ErrorLastProcessprintf$OpenToken$AccountCheckCurrentLookupMembershipNamemalloc
String ID:
API String ID: 2350166618-0
Opcode ID: 111986f97e8006be4781f1dafe1673483795eaf2840e17aa992ed29d4bded850
Instruction ID: dbf25c272997060d637d41b1388e6743939cdd7d97018284a2d6db79c4f25d14
Opcode Fuzzy Hash: 111986f97e8006be4781f1dafe1673483795eaf2840e17aa992ed29d4bded850
Instruction Fuzzy Hash: 03313BB09093059FC710EF74DA4429EBBF4EF48350F0189BEE989A7250EB3985948F86

Function 00402DB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00402E4A
RegOpenKeyExW.ADVAPI32 ref: 00402EB6
RegEnumKeyExW.ADVAPI32 ref: 00402F18
wprintf.MSVCRT ref: 00402F61
wprintf.MSVCRT ref: 00402FFC

Strings

\b@, xrefs: 00402F3A

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: wprintf$EnumInfoOpenQuery
String ID: \b@
API String ID: 4254634424-3153086067
Opcode ID: 324216fd4cfd376d844104b6b332f7df15c4e595f042d72c385f492269db6362
Instruction ID: 1cdb1e7319a4b00985aa5e96af0d67ead8184c6ff0b40ecdc771a302da14bbe4
Opcode Fuzzy Hash: 324216fd4cfd376d844104b6b332f7df15c4e595f042d72c385f492269db6362
Instruction Fuzzy Hash: 38511BB08053158FDB10DF15C94869EFBF4BF84344F11C9BEE488A7291DB7986888F86

Function 00403010 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32 ref: 00403044
RegCloseKey.ADVAPI32 ref: 00403066
RegOpenKeyExW.ADVAPI32 ref: 00403092
wprintf.MSVCRT ref: 004030A2
wprintf.MSVCRT ref: 004030B7

Part of subcall function 00402DB0: RegQueryInfoKeyW.ADVAPI32 ref: 00402E4A
Part of subcall function 00402DB0: RegOpenKeyExW.ADVAPI32 ref: 00402EB6
Part of subcall function 00402DB0: RegEnumKeyExW.ADVAPI32 ref: 00402F18
Part of subcall function 00402DB0: wprintf.MSVCRT ref: 00402F61

Strings

Td@, xrefs: 00403083

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: Openwprintf$CloseEnumInfoQuery
String ID: Td@
API String ID: 2180483866-3820597325
Opcode ID: 10cef42bc82b04ff61fee560b6344dbc1f7ac801814bbc76a9ac4c6bc565f3a6
Instruction ID: 5d5c137082eec89410860858f049285366b8ed35a4b62d8e218b2051146ae84f
Opcode Fuzzy Hash: 10cef42bc82b04ff61fee560b6344dbc1f7ac801814bbc76a9ac4c6bc565f3a6
Instruction Fuzzy Hash: 9C1121B0804315DFDB00BFA5D54929FBFF4EF40358F01882EE58467241D7B994548BDA

Function 004032E0 Relevance: 9.1, APIs: 6, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 0040331B
signal.MSVCRT ref: 00403372
signal.MSVCRT ref: 004033BD
signal.MSVCRT ref: 004033E5

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: ed3af095c9b52fa1645d37e6a783337c96b192b32cd2449b13933a98259822aa
Instruction ID: 1d6627308501263b4b887246d1756e2b9ad4b10aad438c04c10083339a6c0520
Opcode Fuzzy Hash: ed3af095c9b52fa1645d37e6a783337c96b192b32cd2449b13933a98259822aa
Instruction Fuzzy Hash: E9213CB0109300DAE7206FA4858036EBED8AB45766F12492FEDD4E72C1CB7D9A84875B

Function 00403009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00403044
RegCloseKey.ADVAPI32 ref: 00403066
RegOpenKeyExW.ADVAPI32 ref: 00403092
wprintf.MSVCRT ref: 004030A2
wprintf.MSVCRT ref: 004030B7

Part of subcall function 00402DB0: RegQueryInfoKeyW.ADVAPI32 ref: 00402E4A
Part of subcall function 00402DB0: RegOpenKeyExW.ADVAPI32 ref: 00402EB6
Part of subcall function 00402DB0: RegEnumKeyExW.ADVAPI32 ref: 00402F18
Part of subcall function 00402DB0: wprintf.MSVCRT ref: 00402F61

Strings

Td@, xrefs: 00403083

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: Openwprintf$CloseEnumInfoQuery
String ID: Td@
API String ID: 2180483866-3820597325
Opcode ID: 41ab7d49ffdc91763d27016429cadfc3243766c8abf4d6da29d8015ad8e086fe
Instruction ID: fd25b14574a67ecea94e19ff6d6048ad3520cb15a73157fe21167ec30ee4e02d
Opcode Fuzzy Hash: 41ab7d49ffdc91763d27016429cadfc3243766c8abf4d6da29d8015ad8e086fe
Instruction Fuzzy Hash: 35012DB08043159FDB00AFA5D54936FBFF4EF40758F01882EE98867241D7B994588BDA

Function 0040367C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0040365F
VirtualProtect.KERNEL32 ref: 004036A7
memcpy.MSVCRT ref: 004036BD
VirtualProtect.KERNEL32 ref: 004036E7

Strings

@, xrefs: 00403695

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: ProtectVirtualmemcpy
String ID: @
API String ID: 4237922067-2766056989
Opcode ID: 87dcebf669140ce12edef5d5fa5a1f8a028a4ca3d894f7ad06c880f358aa7192
Instruction ID: bd5f270fd96b2f437b39f6132b38b6103e973194d15fe76cf34161a0e328af58
Opcode Fuzzy Hash: 87dcebf669140ce12edef5d5fa5a1f8a028a4ca3d894f7ad06c880f358aa7192
Instruction Fuzzy Hash: 95018CB5905305AFDB10EFADD58449EFBF4EB88350F10882EE598E7350D635A9448B46

Function 00403200 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 00403225
__dllonexit.MSVCRT ref: 00403263
_unlock.MSVCRT ref: 00403293
_onexit.MSVCRT ref: 004032A7

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: __dllonexit_lock_onexit_unlock
String ID:
API String ID: 209411981-0
Opcode ID: 9a809802039ff9fe12e8098fcbf92ce7f2a592af8b68d5b551853c1c16a2345b
Instruction ID: 22fba7df9a4a03f90c486e1a1f957e117b91a56f44203d71170a339c56e98b58
Opcode Fuzzy Hash: 9a809802039ff9fe12e8098fcbf92ce7f2a592af8b68d5b551853c1c16a2345b
Instruction Fuzzy Hash: C111E3B09083018FC704EF79D98540EBBE4BB88345F40093EF8C0A7392EA399584DB86

Function 00402D30 Relevance: 6.0, APIs: 4, Instructions: 44stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00402D3E
isspace.MSVCRT ref: 00402D5F
isspace.MSVCRT ref: 00402D83
memmove.MSVCRT ref: 00402D97

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: isspace$memmovestrlen
String ID:
API String ID: 1856428949-0
Opcode ID: a7b2d6549e36a7ebc38350192c83773f8cc15eeb568e6a34c8bc171e6b975e63
Instruction ID: d3fd9e5e57f39b4a205c1a9793b4953133b78507fa9ce56d84e8f1a505514e93
Opcode Fuzzy Hash: a7b2d6549e36a7ebc38350192c83773f8cc15eeb568e6a34c8bc171e6b975e63
Instruction Fuzzy Hash: B601D6B14087564BCA113F39598857FBFD8AF55784F05057EECC467382E27A98028695

Function 004034A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004034F0

Strings

Tj@, xrefs: 004034D9
Unknown error, xrefs: 004034AC

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: fprintf
String ID: Tj@$Unknown error
API String ID: 383729395-683221051
Opcode ID: 98a7d13db4f830e09ef209278c4be680dd2bd9fd44bb9394771d9a69b4d37234
Instruction ID: ae3cde43d5d25f7a7b6a284fe05902c46395ded8080ba9972480413c6e9a7ccd
Opcode Fuzzy Hash: 98a7d13db4f830e09ef209278c4be680dd2bd9fd44bb9394771d9a69b4d37234
Instruction Fuzzy Hash: ECF01774504641CBC300EF14E58441ABBF1FF89300B92C9A9E8C99B365D738D878CB4A

Function 00403D80 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00403DA7
free.MSVCRT ref: 00403DF1
LeaveCriticalSection.KERNEL32 ref: 00403DFD

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 893f1f38092aecc1b40df3f6a523824648419426be0b9831e1d4e448d09335b7
Instruction ID: f202c57a4ce99dcb0348e63208ed13094e1dcea2f6040547efc2bb8852973fe0
Opcode Fuzzy Hash: 893f1f38092aecc1b40df3f6a523824648419426be0b9831e1d4e448d09335b7
Instruction Fuzzy Hash: 7F012770B18202CFD700EF68DA8451ABFE4AF44305B1445BED885A7391EB38E990DB4A

Function 00403C70 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00403C80
TlsGetValue.KERNEL32 ref: 00403CA5
GetLastError.KERNEL32 ref: 00403CB0
LeaveCriticalSection.KERNEL32 ref: 00403CD0

Memory Dump Source

Source File: 00000006.00000002.2232157937.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2232140317.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232195991.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232212934.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2232227830.000000000040B000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_SetDefault.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 46fb981f7c797deaf9e6847ee4a88ce6dc15bc7ee9b17df910ed3ea49ad6667b
Instruction ID: 5fd713b1dae67ded7836070dd759722d66313b6020a9cea318f57296d00dc9d8
Opcode Fuzzy Hash: 46fb981f7c797deaf9e6847ee4a88ce6dc15bc7ee9b17df910ed3ea49ad6667b
Instruction Fuzzy Hash: CAF08176919A008BDB00BFB89A4855ABFB8FB80351F01057DDC95B3300DB34B924CBDA

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JR2xwuR1Zc.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\706487.rbs

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SpecterXInstaller.exe.log

C:\Users\user\AppData\Local\SpecterX\SetDefault.exe

C:\Users\user\AppData\Local\SpecterX\SpecterX.ico

C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler-Interactive.exe

C:\Users\user\AppData\Local\SpecterX\SpecterXFileHandler.exe

C:\Users\user\AppData\Local\SpecterX\SpecterXInstaller.exe

C:\Users\user\AppData\Local\SpecterX\SpecterXUninstaller.exe

C:\Users\user\AppData\Local\SpecterX\config.xml

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adylwiy0.ylc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpg5mjpn.mly.ps1

C:\Users\user\AppData\Roaming\Microsoft\Installer\{9E710E79-8D32-42A7-AA5F-53972FD29A8B}\SpecterX.exe

C:\Windows\Installer\706485.msi

C:\Windows\Installer\706488.msi

C:\Windows\Installer\MSI6754.tmp

C:\Windows\Installer\MSI67C2.tmp

C:\Windows\Installer\MSI6811.tmp

C:\Windows\Installer\MSI6851.tmp

C:\Windows\Installer\MSI68A0.tmp

C:\Windows\Installer\MSI68FF.tmp

C:\Windows\Installer\SourceHash{9E710E79-8D32-42A7-AA5F-53972FD29A8B}

C:\Windows\Installer\inprogressinstallinfo.ipi

Windows Analysis Report
JR2xwuR1Zc.msi