Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
r.exe

Overview

General Information

Sample Name:r.exe
Analysis ID:641726
MD5:601ccdad5d43290b18ce9c0728e52d38
SHA1:d6a142337788d09e98af6665ea44899b248e46fd
SHA256:f78aa003a899db2d88065eefcad78377325e31bc2f7c4d6ce19e21773cd27d23
Tags:exe
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Disable Windows Defender notifications (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • r.exe (PID: 2984 cmdline: "C:\Users\user\Desktop\r.exe" MD5: 601CCDAD5D43290B18CE9C0728E52D38)
    • schtasks.exe (PID: 3396 cmdline: "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\user\AppData\Roaming\Z\Z.exe" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 3968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6476 cmdline: "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1 MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Z.exe (PID: 6456 cmdline: C:\Users\user\AppData\Roaming\Z\Z.exe MD5: 601CCDAD5D43290B18CE9C0728E52D38)
    • schtasks.exe (PID: 5096 cmdline: "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\user\AppData\Roaming\Z\Z.exe" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 5168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6372 cmdline: "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1 MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: r.exeVirustotal: Detection: 66%Perma Link
Source: r.exeMetadefender: Detection: 31%Perma Link
Source: r.exeReversingLabs: Detection: 80%
Source: r.exeAvira: detected
Source: C:\Users\user\AppData\Roaming\Z\Z.exeAvira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Z\Z.exeVirustotal: Detection: 66%Perma Link
Source: C:\Users\user\AppData\Roaming\Z\Z.exeMetadefender: Detection: 31%Perma Link
Source: C:\Users\user\AppData\Roaming\Z\Z.exeReversingLabs: Detection: 80%
Source: r.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Z\Z.exeJoe Sandbox ML: detected
Source: 5.0.Z.exe.7c0000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.0.r.exe.b40000.0.unpackAvira: Label: TR/Dropper.Gen
Source: r.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: r.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: r.exe, Z.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: r.exe, Z.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: r.exe, Z.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000006.00000002.474915527.000001F879480000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.498026227.00000248E2C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: r.exe, Z.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: r.exe, Z.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: r.exe, Z.exe.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: r.exe, Z.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: r.exe, Z.exe.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: r.exe, Z.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: powershell.exe, 00000006.00000002.474450346.000001F8711B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.497605055.00000248DA26F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: r.exe, Z.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: r.exe, Z.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: r.exe, Z.exe.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: r.exe, Z.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000A.00000002.489474628.00000248CA412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.462161730.000001F861141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.488556362.00000248CA201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.489474628.00000248CA412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: r.exe, Z.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 0000000A.00000002.497605055.00000248DA26F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.497605055.00000248DA26F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.497605055.00000248DA26F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.489474628.00000248CA412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.474450346.000001F8711B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.497605055.00000248DA26F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: r.exe, Z.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: r.exe, Z.exe.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: r.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\r.exeCode function: 0_2_00007FF9F1C56986
Source: C:\Users\user\Desktop\r.exeCode function: 0_2_00007FF9F1C57732
Source: C:\Users\user\AppData\Roaming\Z\Z.exeCode function: 5_2_00007FF9F1C56996
Source: C:\Users\user\AppData\Roaming\Z\Z.exeCode function: 5_2_00007FF9F1C57742
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF9F1C60CA8
Source: r.exe, 00000000.00000000.426614767.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenames.exeL vs r.exe
Source: r.exe, 00000000.00000002.447789541.0000000001449000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs r.exe
Source: r.exeBinary or memory string: OriginalFilenames.exeL vs r.exe
Source: r.exeVirustotal: Detection: 66%
Source: r.exeMetadefender: Detection: 31%
Source: r.exeReversingLabs: Detection: 80%
Source: C:\Users\user\Desktop\r.exeFile read: C:\Users\user\Desktop\r.exeJump to behavior
Source: r.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\r.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\r.exe "C:\Users\user\Desktop\r.exe"
Source: C:\Users\user\Desktop\r.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\user\AppData\Roaming\Z\Z.exe" /f
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Z\Z.exe C:\Users\user\AppData\Roaming\Z\Z.exe
Source: C:\Users\user\Desktop\r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\user\AppData\Roaming\Z\Z.exe" /f
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\r.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\user\AppData\Roaming\Z\Z.exe" /f
Source: C:\Users\user\Desktop\r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\user\AppData\Roaming\Z\Z.exe" /f
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
Source: C:\Users\user\Desktop\r.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: C:\Users\user\Desktop\r.exeFile created: C:\Users\user\AppData\Roaming\ZJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmtrlsuy.biy.ps1Jump to behavior
Source: classification engineClassification label: mal96.evad.winEXE@14/10@0/1
Source: C:\Users\user\Desktop\r.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: 0.0.r.exe.b40000.0.unpack, VolVeR/Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.r.exe.b40000.0.unpack, VolVeR/Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.Z.exe.7c0000.0.unpack, VolVeR/Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.Z.exe.7c0000.0.unpack, VolVeR/Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.Z.exe.7c0000.0.unpack, VolVeR/Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.Z.exe.7c0000.0.unpack, VolVeR/Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: r.exe, VolVeR/Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: r.exe, VolVeR/Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Z.exe.0.dr, VolVeR/Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Z.exe.0.dr, VolVeR/Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.r.exe.b40000.0.unpack, VolVeR/Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.r.exe.b40000.0.unpack, VolVeR/Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: r.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.76%
Source: C:\Users\user\Desktop\r.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Z\Z.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: r.exe, VolVeR/Program.csBase64 encoded string: 'U2V0LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAnSEtMTTpcXFNPRlRXQVJFXFxNaWNyb3NvZnRcXFdpbmRvd3MgRGVmZW5kZXIgU2VjdXJpdHkgQ2VudGVyXFxOb3RpZmljYXRpb25zJyAtTmFtZSBEaXNhYmxlTm90aWZpY2F0aW9ucyAtVmFsdWUgMQ=='
Source: Z.exe.0.dr, VolVeR/Program.csBase64 encoded string: 'U2V0LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAnSEtMTTpcXFNPRlRXQVJFXFxNaWNyb3NvZnRcXFdpbmRvd3MgRGVmZW5kZXIgU2VjdXJpdHkgQ2VudGVyXFxOb3RpZmljYXRpb25zJyAtTmFtZSBEaXNhYmxlTm90aWZpY2F0aW9ucyAtVmFsdWUgMQ=='
Source: 0.2.r.exe.b40000.0.unpack, VolVeR/Program.csBase64 encoded string: 'U2V0LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAnSEtMTTpcXFNPRlRXQVJFXFxNaWNyb3NvZnRcXFdpbmRvd3MgRGVmZW5kZXIgU2VjdXJpdHkgQ2VudGVyXFxOb3RpZmljYXRpb25zJyAtTmFtZSBEaXNhYmxlTm90aWZpY2F0aW9ucyAtVmFsdWUgMQ=='
Source: 0.0.r.exe.b40000.0.unpack, VolVeR/Program.csBase64 encoded string: 'U2V0LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAnSEtMTTpcXFNPRlRXQVJFXFxNaWNyb3NvZnRcXFdpbmRvd3MgRGVmZW5kZXIgU2VjdXJpdHkgQ2VudGVyXFxOb3RpZmljYXRpb25zJyAtTmFtZSBEaXNhYmxlTm90aWZpY2F0aW9ucyAtVmFsdWUgMQ=='
Source: 5.2.Z.exe.7c0000.0.unpack, VolVeR/Program.csBase64 encoded string: 'U2V0LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAnSEtMTTpcXFNPRlRXQVJFXFxNaWNyb3NvZnRcXFdpbmRvd3MgRGVmZW5kZXIgU2VjdXJpdHkgQ2VudGVyXFxOb3RpZmljYXRpb25zJyAtTmFtZSBEaXNhYmxlTm90aWZpY2F0aW9ucyAtVmFsdWUgMQ=='
Source: 5.0.Z.exe.7c0000.0.unpack, VolVeR/Program.csBase64 encoded string: 'U2V0LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAnSEtMTTpcXFNPRlRXQVJFXFxNaWNyb3NvZnRcXFdpbmRvd3MgRGVmZW5kZXIgU2VjdXJpdHkgQ2VudGVyXFxOb3RpZmljYXRpb25zJyAtTmFtZSBEaXNhYmxlTm90aWZpY2F0aW9ucyAtVmFsdWUgMQ=='
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Z\Z.exeMutant created: \Sessions\1\BaseNamedObjects\JWSFRGFQXQ
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3968:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5168:120:WilError_01
Source: C:\Users\user\Desktop\r.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: r.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: r.exeStatic file information: File size 4773888 > 1048576
Source: r.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: r.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x48cc00
Source: r.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\r.exeFile created: C:\Users\user\AppData\Roaming\Z\Z.exeJump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\r.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\user\AppData\Roaming\Z\Z.exe" /f
Source: C:\Users\user\Desktop\r.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\r.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\Z\Z.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\Z\Z.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\Z\Z.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\Z\Z.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\r.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: r.exe, Z.exe.0.drBinary or memory string: SBIEDLL.DLL
Source: C:\Users\user\Desktop\r.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\Desktop\r.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Z\Z.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Z\Z.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Z\Z.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\r.exe TID: 6212Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Z\Z.exe TID: 632Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6528Thread sleep count: 4337 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep count: 228 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6524Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6540Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6436Thread sleep count: 3124 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6436Thread sleep count: 2334 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6700Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5240Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\r.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Z\Z.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4337
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3124
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2334
Source: C:\Users\user\Desktop\r.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\r.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Z\Z.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\r.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\r.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Z\Z.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Z\Z.exeFile Volume queried: C:\ FullSizeInformation
Source: Z.exe, 00000005.00000002.485169624.000000001BFF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
Source: Z.exe.0.drBinary or memory string: vmware
Source: Z.exe, 00000005.00000002.485169624.000000001BFF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware6PWN6ACYWin32_VideoControllerRVWTSAH8VideoController120060621000000.000000-000272.231.display.infMSBDA4SP5N6_1PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsKDUXY3D5/
Source: r.exe, 00000000.00000002.457616806.000000001C260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware6PWN6ACYWin32_VideoControllerRVWTSAH8VideoController120060621000000.000000-000272.231.display.infMSBDA4SP5N6_1PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsKDUXY3D5ns\A
Source: r.exe, 00000000.00000002.457616806.000000001C260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware6PWN6ACYWin32_VideoControllerRVWTSAH8VideoController120060621000000.000000-000272.231.display.infMSBDA4SP5N6_1PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsKDUXY3D5User
Source: Z.exe, 00000005.00000002.485169624.000000001BFF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware6PWN6ACYWin32_VideoControllerRVWTSAH8VideoController120060621000000.000000-000272.231.display.infMSBDA4SP5N6_1PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsKDUXY3D5
Source: r.exe, Z.exe.0.drBinary or memory string: DetectVirtualMachine
Source: Z.exe, 00000005.00000002.485169624.000000001BFF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware6PWN6ACYWin32_VideoControllerRVWTSAH8VideoController120060621000000.000000-000272.231.display.infMSBDA4SP5N6_1PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsKDUXY3D5LMEMp
Source: Z.exe, 00000005.00000002.485169624.000000001BFF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware6PWN6ACYWin32_VideoControllerRVWTSAH8VideoController120060621000000.000000-000272.231.display.infMSBDA4SP5N6_1PCI\VEN_15AD&DqF
Source: Z.exe, 00000005.00000002.481688704.0000000001223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: r.exe, Z.exe.0.drBinary or memory string: <Module>s.exeProgramVolVeRAlwaysNotifyMutexControlPEStartupInfoconfigRAMMinerResourcesVolVeR.PropertiesAnalysisMinerAnsInstallerVolVeRFMImscorlibSystemObjectValueTypeMainGetGPUNameHWIDGetHashDisableNotifyUAC.ctorSystem.ThreadingMutexcurrentAppCreateMutexCreateProcessVirtualAllocExWriteProcessMemoryZwUnmapViewOfSectionSetThreadContextGetThreadContextResumeThreadCloseHandleRunAligncbdwFlagswShowWindowetcWalletetcPoolethWalletethPoolethWorkeretcWorkermutexfolderFileNamedisableDefenderNotificationsbypassUACantiSandboxantiDebuggerGetVRAMSystem.Collections.GenericList`1GetNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_Cultureget_lolMinerCulturelolMinerDetectVirtualMachineDetectSandboxieGetModuleHandleCheckRemoteDebuggerPresentSystem.IOFileInfoDirectoryInfoDirectoryNameIsInstalledCreateDirectoryInstallFilestrToHashlpApplicationNamelpCommandLinelpProcessAttributeslpThreadAttributesbInheritHandlesdwCreationFlagslpEnvironmentlpCurrentDirectorylpStartupInfolpProcessInfohProcesslpAddressdwSizeflAllocationTypeflProtectlpBaseAddresslpBuffernSizewrittenProcessHandleBaseAddresshThreadlpContexthandlepayloadBufferhostargssourcealignmentvaluelpModuleNameisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeSystem.Security.PermissionsSecurityPermissionAttributeSecurityActionSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributesStringop_EqualityEnvironmentExitSystem.DiagnosticsProcessStartInfoset_FileNameset_CreateNoWindowProcessWindowStyleset_WindowStyleConcatset_ArgumentsProcessStartReplacePathGetFileNameWithoutExtensionAddEnumeratorGetEnumeratorget_CurrentGetProcessesByNameKillMoveNextIDisposableDisposeSystem.Security.PrincipalWindowsIdentityGetCurrentWindowsPrincipalWindowsBuiltInRoleIsInRoleExceptionSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorManagementBaseObjectManagementObjectget_ItemToStringget_ProcessorCountInt32get_UserNameget_MachineNameOperatingSystemget_OSVersionget_SystemDirectoryGetPathRootDriveInfoget_TotalSizeInt64System.Security.CryptographyMD5CryptoServiceProviderSystem.TextEncodingget_ASCIIGetBytesHashAlgorithmComputeHashStringBuilderByteAppendSubstringToUpperget_DefaultConvertFromBase64StringGetStringset_UseShellExecuteset_RedirectStandardOutputAssemblyGetExecutingAssemblyget_LocationContainsMicrosoft.Win32RegistryRegistryKeyCurrentUserOpenSubKeySetValueget_StartInfoThreadSleepDeleteValueLocalMachineGetValueCloseSystem.Runtime.InteropServicesDllImportAttributekernel32.dllntdll.dllMarshalReadInt32ReadInt16ReadInt64SizeOfAllocHGlobalIsNullOrEmptyDirectoryGetCurrentDirectoryWriteInt32IntPtrZeroBufferArrayBlockCopyBitConverterWriteInt64FreeHGlobalToInt64StructLayoutAttributeLayoutKindFieldOffsetAttribute.cctorSpecialFolderGetFolderPathCombineSystem.CoreSyst
Source: C:\Users\user\Desktop\r.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\r.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\Desktop\r.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\user\AppData\Roaming\Z\Z.exe" /f
Source: C:\Users\user\Desktop\r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\user\AppData\Roaming\Z\Z.exe" /f
Source: C:\Users\user\AppData\Roaming\Z\Z.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
Source: C:\Users\user\Desktop\r.exeQueries volume information: C:\Users\user\Desktop\r.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Z\Z.exeQueries volume information: C:\Users\user\AppData\Roaming\Z\Z.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\r.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation
1
Scheduled Task/Job
11
Process Injection
1
Masquerading
OS Credential Dumping1
Query Registry
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Scheduled Task/Job
Boot or Logon Initialization Scripts1
Scheduled Task/Job
11
Disable or Modify Tools
LSASS Memory31
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)1
Bypass User Access Control
121
Virtualization/Sandbox Evasion
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection
NTDS121
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information
LSA Secrets1
Application Window Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Software Packing
Cached Domain Credentials1
File and Directory Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
Bypass User Access Control
DCSync13
System Information Discovery
Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 641726 Sample: r.exe Startdate: 08/06/2022 Architecture: WINDOWS Score: 96 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Machine Learning detection for sample 2->41 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->43 7 r.exe 4 2->7         started        11 Z.exe 2 2->11         started        process3 dnsIp4 31 C:\Users\user\AppData\Roaming\Z\Z.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\Local\...\r.exe.log, ASCII 7->33 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 14 powershell.exe 1 13 7->14         started        17 schtasks.exe 1 7->17         started        35 192.168.2.1 unknown unknown 11->35 49 Antivirus detection for dropped file 11->49 51 Multi AV Scanner detection for dropped file 11->51 53 Machine Learning detection for dropped file 11->53 19 schtasks.exe 1 11->19         started        21 powershell.exe 11->21         started        file5 signatures6 process7 signatures8 55 Disable Windows Defender notifications (registry) 14->55 23 conhost.exe 14->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        process9

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
r.exe66%VirustotalBrowse
r.exe31%MetadefenderBrowse
r.exe81%ReversingLabsWin32.PUA.MiscX
r.exe100%AviraTR/Dropper.Gen
r.exe100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Z\Z.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Roaming\Z\Z.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Z\Z.exe66%VirustotalBrowse
C:\Users\user\AppData\Roaming\Z\Z.exe31%MetadefenderBrowse
C:\Users\user\AppData\Roaming\Z\Z.exe81%ReversingLabsWin32.PUA.MiscX
SourceDetectionScannerLabelLinkDownload
5.0.Z.exe.7c0000.0.unpack100%AviraTR/Dropper.GenDownload File
0.0.r.exe.b40000.0.unpack100%AviraTR/Dropper.GenDownload File
No Antivirus matches
SourceDetectionScannerLabelLink
https://sectigo.com/CPS00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.474450346.000001F8711B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.497605055.00000248DA26F000.00000004.00000800.00020000.00000000.sdmpfalse
    high
    https://sectigo.com/CPS0r.exe, Z.exe.0.drfalse
    • URL Reputation: safe
    unknown
    http://ocsp.sectigo.com0r.exe, Z.exe.0.drfalse
    • URL Reputation: safe
    unknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.489474628.00000248CA412000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    unknown
    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.489474628.00000248CA412000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      https://contoso.com/powershell.exe, 0000000A.00000002.497605055.00000248DA26F000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      unknown
      https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.474450346.000001F8711B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.497605055.00000248DA26F000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        https://contoso.com/Licensepowershell.exe, 0000000A.00000002.497605055.00000248DA26F000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        https://contoso.com/Iconpowershell.exe, 0000000A.00000002.497605055.00000248DA26F000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sr.exe, Z.exe.0.drfalse
        • URL Reputation: safe
        unknown
        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#r.exe, Z.exe.0.drfalse
        • URL Reputation: safe
        unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.462161730.000001F861141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.488556362.00000248CA201000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.489474628.00000248CA412000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            IP
            192.168.2.1
            Joe Sandbox Version:35.0.0 Citrine
            Analysis ID:641726
            Start date and time: 08/06/202218:54:402022-06-08 18:54:40 +02:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 7m 47s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:r.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:28
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal96.evad.winEXE@14/10@0/1
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Adjust boot time
            • Enable AMSI
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
            • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, licensing.mp.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
            • Execution Graph export aborted for target Z.exe, PID 6456 because it is empty
            • Execution Graph export aborted for target powershell.exe, PID 6476 because it is empty
            • Execution Graph export aborted for target r.exe, PID 2984 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            TimeTypeDescription
            18:56:00Task SchedulerRun new task: MicrosoftEdgeUpdate path: C:\Users\user\AppData\Roaming\Z\Z.exe
            18:56:04API Interceptor38x Sleep call for process: powershell.exe modified
            No context
            No context
            No context
            No context
            No context
            Process:C:\Users\user\AppData\Roaming\Z\Z.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1076
            Entropy (8bit):5.359758749701665
            Encrypted:false
            SSDEEP:24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhBsXE4+Y:MxHKn1qHGiD0HKeGiYHKGD8AokH+Y
            MD5:96C02D101311A155C6517E433AED892E
            SHA1:52E393477D5A279909C8FC47A9EFFE9FA8BF964E
            SHA-256:9F20781DB029AA6D5F1F1CCC3EDB3D5D08A5A072AC65D0EFDACF24B9C2F15B28
            SHA-512:361F2E24B3F4BEBB7B5DBE8C61A014EFEEFFA63C8D4F9E2DFC9FD591E9ECAE2FCF089D2C9AD211DA57DCD4D06A91FE232356CD5F532CBBE7D2ACA99C5CA87AD5
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syst
            Process:C:\Users\user\Desktop\r.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1076
            Entropy (8bit):5.359758749701665
            Encrypted:false
            SSDEEP:24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhBsXE4+Y:MxHKn1qHGiD0HKeGiYHKGD8AokH+Y
            MD5:96C02D101311A155C6517E433AED892E
            SHA1:52E393477D5A279909C8FC47A9EFFE9FA8BF964E
            SHA-256:9F20781DB029AA6D5F1F1CCC3EDB3D5D08A5A072AC65D0EFDACF24B9C2F15B28
            SHA-512:361F2E24B3F4BEBB7B5DBE8C61A014EFEEFFA63C8D4F9E2DFC9FD591E9ECAE2FCF089D2C9AD211DA57DCD4D06A91FE232356CD5F532CBBE7D2ACA99C5CA87AD5
            Malicious:true
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syst
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):1112
            Entropy (8bit):5.261317746785248
            Encrypted:false
            SSDEEP:24:3APpQrLAo4KAxX5qRPD42HOoFe9t4CvKaBPnKyH5X:QPerB4nqRL/HvFe9t4CvpBfnHZ
            MD5:10B3604B711FAAE4E7D98576FF54D22C
            SHA1:FFFE9478665B13C99518C8C5FCC9DF3BC112E507
            SHA-256:283F1509E6EE6F2CBA7EE7B27A6E4D3657E12E025E12DAF8F8EC87DE9A58067B
            SHA-512:10EAC10853F51427C7F79A03FDB09B8330388638AE65753E9790BF3A1B59C49DD185650F9ACB6EA65F66E891D620E2BEC8FA72F45AB3A3BF23DBC97199BDBBA9
            Malicious:false
            Preview:@...e...........................................................8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1
            Process:C:\Users\user\Desktop\r.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):4773888
            Entropy (8bit):7.999198263550714
            Encrypted:true
            SSDEEP:98304:+XjW2zyivc/oHruK4uOQRKRvIgfxgGtaeOwvPDUG2WImwOsxJ:+XjWtivIoHStuOFlIogGc7wvAepwTxJ
            MD5:601CCDAD5D43290B18CE9C0728E52D38
            SHA1:D6A142337788D09E98AF6665EA44899B248E46FD
            SHA-256:F78AA003A899DB2D88065EEFCAD78377325E31BC2F7C4D6CE19E21773CD27D23
            SHA-512:52ACB52A19CF2D74ED7C6FBE8E256E5EEC4856C36B37D4A8025658FDF2F6E4BCFB3CA46BF2DF8761E42A7289DE6E576D8E156B267A493F40E5C20B1FA41C1A22
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Virustotal, Detection: 66%, Browse
            • Antivirus: Metadefender, Detection: 31%, Browse
            • Antivirus: ReversingLabs, Detection: 81%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[.b..................H...........H.. ....I...@.. .......................@I...........@.................................<.H.O.....I.X.................... I...................................................... ............... ..H............text.....H.. ....H................. ..`.rsrc...X.....I.......H.............@..@.reloc....... I.......H.............@..B................p.H.....H.......4.H..-..........H;...H..........................................0..........s&...(%.....&..~....r...p(....,.(....,..(......&..~....r...p(....,.(....,..(......&..(....-..(....s......r...po......o......o................r%..p....~........r...p....~........r...p...(....o.......(....&..&....(.......&..(................r...p....~........r...p....~........r...p....~........(........(....r...pr...po.......(.................r...p....~........r...p....~........r...p....~.......
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):1132
            Entropy (8bit):5.1834370445458635
            Encrypted:false
            SSDEEP:24:BxSApDvBBox2DOXITP+6zoXW1UHjeTKKjX4CIym1ZJXRTP+6zokGnxSAZJi:BZBv/ooOb6zoG1UqDYB1Zy6zokIZZJi
            MD5:27C072763A444EAF1C7DF9052B6EA378
            SHA1:57191F90EA48872BFCE0304C11CDF6DAB721726A
            SHA-256:0F3FC81B21062E48F5D9FC30819869A1D44A7C9B48C5F5E613AEC23816EDAFAC
            SHA-512:CFBE4ACBBC58049AC445BDD42EC2ADC7C2405BAE5DA041964D0AB4C79C0E448448FD2BF90DDBAB88DD0BED02CE4FDEAEB188280086F642D5F1CD3C709D7E3E35
            Malicious:false
            Preview:.**********************..Windows PowerShell transcript start..Start time: 20220608185618..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 932923 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1..Process ID: 6372..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220608185618..**********************..PS>Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1..**********************..Command start time: 20220608185717..*********************
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):1132
            Entropy (8bit):5.184362928318124
            Encrypted:false
            SSDEEP:24:BxSARyDvBBox2DOXITP+6zoXW5HjeTKKjX4CIym1ZJXITP+6zooDnxSAZxH:BZUv/ooOb6zoG5qDYB1Zh6zooDZZxH
            MD5:A94CB7CFA9DD7F887D7BF3AB5ECEC8B6
            SHA1:B27EA6935C61E4D9755731417C182E9C4AD63CD5
            SHA-256:FF05687B561107C14453DC6B81F697FF79F2291DBD161C15B21CE3EEA265350D
            SHA-512:3B1FCD7C533FF4625BFB9EBA190A2C04EF9C7394907CFA9B46925DCB6F440389D2DAFD59F255A8AE92062937A42376DEB87BE9CFA10A467A7F3444017C127BED
            Malicious:false
            Preview:.**********************..Windows PowerShell transcript start..Start time: 20220608185604..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 932923 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1..Process ID: 6476..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220608185604..**********************..PS>Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1..**********************..Command start time: 20220608185712..*********************
            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.999198263550714
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.76%
            • Win32 Executable (generic) a (10002005/4) 49.71%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • UPX compressed Win32 Executable (30571/9) 0.15%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:r.exe
            File size:4773888
            MD5:601ccdad5d43290b18ce9c0728e52d38
            SHA1:d6a142337788d09e98af6665ea44899b248e46fd
            SHA256:f78aa003a899db2d88065eefcad78377325e31bc2f7c4d6ce19e21773cd27d23
            SHA512:52acb52a19cf2d74ed7c6fbe8e256e5eec4856c36b37d4a8025658fdf2f6e4bcfb3ca46bf2df8761e42a7289de6e576d8e156b267a493f40e5c20b1fa41c1a22
            SSDEEP:98304:+XjW2zyivc/oHruK4uOQRKRvIgfxgGtaeOwvPDUG2WImwOsxJ:+XjWtivIoHStuOFlIogGc7wvAepwTxJ
            TLSH:782633E3B48C33ACD4538CB467E5916289B4B089A2E71CFA49C7C13E78E3B578A20D55
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[.b..................H...........H.. ....I...@.. .......................@I...........@................................
            Icon Hash:00828e8e8686b000
            Entrypoint:0x88ea8e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x629A5BAC [Fri Jun 3 19:06:20 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v4.0.30319
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x48ea3c0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4900000x658.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x4920000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x48ca940x48cc00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0x4900000x6580x800False0.33837890625data3.49508042781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x4920000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            NameRVASizeTypeLanguageCountry
            RT_VERSION0x4900a00x3c4data
            RT_MANIFEST0x4904680x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
            DLLImport
            mscoree.dll_CorExeMain
            DescriptionData
            Translation0x0000 0x04b0
            LegalCopyright Microsoft Corporation. All rights reserved.
            Assembly Version0.0.0.0
            InternalNames.exe
            FileVersion0.0.0.0
            CompanyNameMicrosoft .NET Framework
            CommentsMicrosoft .NET Services Installation Utility
            ProductNameMicrosoft Corporation
            ProductVersion0.0.0.0
            FileDescriptionInstallation Utility
            OriginalFilenames.exe
            No network behavior found

            Click to jump to process

            Target ID:0
            Start time:18:55:52
            Start date:08/06/2022
            Path:C:\Users\user\Desktop\r.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\r.exe"
            Imagebase:0xb40000
            File size:4773888 bytes
            MD5 hash:601CCDAD5D43290B18CE9C0728E52D38
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:low

            Target ID:3
            Start time:18:55:58
            Start date:08/06/2022
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\user\AppData\Roaming\Z\Z.exe" /f
            Imagebase:0x7ff7cc9d0000
            File size:226816 bytes
            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Target ID:4
            Start time:18:55:59
            Start date:08/06/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Target ID:5
            Start time:18:56:00
            Start date:08/06/2022
            Path:C:\Users\user\AppData\Roaming\Z\Z.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Roaming\Z\Z.exe
            Imagebase:0x7c0000
            File size:4773888 bytes
            MD5 hash:601CCDAD5D43290B18CE9C0728E52D38
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            • Detection: 66%, Virustotal, Browse
            • Detection: 31%, Metadefender, Browse
            • Detection: 81%, ReversingLabs
            Reputation:low

            Target ID:6
            Start time:18:56:01
            Start date:08/06/2022
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
            Imagebase:0x7ff619710000
            File size:447488 bytes
            MD5 hash:95000560239032BC68B4C2FDFCDEF913
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:high

            Target ID:7
            Start time:18:56:02
            Start date:08/06/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Target ID:8
            Start time:18:56:11
            Start date:08/06/2022
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\user\AppData\Roaming\Z\Z.exe" /f
            Imagebase:0x7ff7cc9d0000
            File size:226816 bytes
            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Target ID:9
            Start time:18:56:12
            Start date:08/06/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Target ID:10
            Start time:18:56:16
            Start date:08/06/2022
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
            Imagebase:0x7ff619710000
            File size:447488 bytes
            MD5 hash:95000560239032BC68B4C2FDFCDEF913
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:high

            Target ID:12
            Start time:18:56:16
            Start date:08/06/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            No disassembly