Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:763436
MD5:c52068b30d8334cec7c485a9499425a3
SHA1:cbab6baef2510f1628b566204b0a772bacc2b572
SHA256:9bdaaf29a346c7c0f031d771985dd3af1cb50a01a9d9089cde17109454f9526d
Tags:exe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
PE file has nameless sections
DNS related to crypt mining pools
Adds a directory exclusion to Windows Defender
Sets debug register (to hijack the execution of another thread)
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • file.exe (PID: 5020 cmdline: C:\Users\user\Desktop\file.exe MD5: C52068B30D8334CEC7C485A9499425A3)
    • powershell.exe (PID: 1276 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData' MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2264 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming' MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 3156 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp27DD.tmp.bat"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 1780 cmdline: timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18)
      • ILGDIYG.exe (PID: 3960 cmdline: "C:\ProgramData\mediaApp\ILGDIYG.exe" MD5: C52068B30D8334CEC7C485A9499425A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    • AV Detection
    • Bitcoin Miner
    • Compliance
    • Networking
    • System Summary
    • Data Obfuscation
    • Persistence and Installation Behavior
    • Hooking and other Techniques for Hiding and Protection
    • Malware Analysis System Evasion
    • Anti Debugging
    • HIPS / PFW / Operating System Protection Evasion
    • Language, Device and Operating System Detection

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: file.exeVirustotal: Detection: 37%Perma Link
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeReversingLabs: Detection: 25%

    Bitcoin Miner

    barindex
    Source: Yara matchFile source: dump.pcap, type: PCAP
    Source: unknownDNS query: name: xmr-eu1.nanopool.org

    Compliance

    barindex
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fa0000.0.unpack
    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: file.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://179.43.141.116/
    Source: file.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://179.43.141.116/DLCGHOUL.php
    Source: file.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://179.43.141.116/DLEBEBRA2.php
    Source: file.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://179.43.141.116/DLIMSORRY.php
    Source: file.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://179.43.141.116/DLIMSORRY.phpDLEBEBRA2.phpNLIFE.phpDLCGHOUL.phpVERBORROV.phpChromeApp.datchrom
    Source: file.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://179.43.141.116/NLIFE.php
    Source: file.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://179.43.141.116/VERBORROV.php
    Source: powershell.exe, 00000002.00000003.492268825.000002936A039000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000002.00000002.637847274.000002931005D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000002.00000002.506256366.0000029300209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000001.00000002.519080549.0000028C1FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.506256366.0000029300209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: file.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.508908266.0000028C1FC11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.498226351.0000029300001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000001.00000002.519080549.0000028C1FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.506256366.0000029300209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000002.00000002.506256366.0000029300209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000002.00000002.637847274.000002931005D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000002.00000002.637847274.000002931005D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000002.00000002.637847274.000002931005D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000002.00000002.506256366.0000029300209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000001.00000003.438539315.0000028C21924000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.435724062.0000028C2183E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.433639856.0000028C217A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.436238490.0000028C21872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000002.00000003.492632195.000002936A063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
    Source: powershell.exe, 00000002.00000002.637847274.000002931005D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: unknownDNS traffic detected: queries for: xmr-eu1.nanopool.org

    System Summary

    barindex
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name:
    Source: ILGDIYG.exe.0.drStatic PE information: section name:
    Source: ILGDIYG.exe.0.drStatic PE information: section name:
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8164B1B1D0_2_00007FF8164B1B1D
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8164B01D00_2_00007FF8164B01D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8164B2ADD0_2_00007FF8164B2ADD
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8164B03380_2_00007FF8164B0338
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8164B0C880_2_00007FF8164B0C88
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8164B04800_2_00007FF8164B0480
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8164B09E00_2_00007FF8164B09E0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8164B02280_2_00007FF8164B0228
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8164B02C80_2_00007FF8164B02C8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8165400880_2_00007FF816540088
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02D995A30_2_02D995A3
    Source: file.exeStatic PE information: Resource name: MUI type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Source: ILGDIYG.exe.0.drStatic PE information: Resource name: MUI type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Source: file.exe, 00000000.00000003.310600895.0000000002EE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewmplayer.exe.muij% vs file.exe
    Source: file.exe, 00000000.00000002.419956882.0000000013CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewmplayer.exe.muij% vs file.exe
    Source: file.exe, 00000000.00000002.413317817.0000000000ADC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
    Source: file.exe, 00000000.00000000.309351404.000000000107E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewmplayer.exe.muij% vs file.exe
    Source: file.exeBinary or memory string: OriginalFilenamewmplayer.exe.muij% vs file.exe
    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9971469056372549
    Source: ILGDIYG.exe.0.drStatic PE information: Section: ZLIB complexity 0.9971469056372549
    Source: file.exeVirustotal: Detection: 37%
    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp27DD.tmp.bat""
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
    Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\mediaApp\ILGDIYG.exe "C:\ProgramData\mediaApp\ILGDIYG.exe"
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'Jump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'Jump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp27DD.tmp.bat""Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\mediaApp\ILGDIYG.exe "C:\ProgramData\mediaApp\ILGDIYG.exe" Jump to behavior
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.logJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\tmp27DD.tmpJump to behavior
    Source: classification engineClassification label: mal100.evad.mine.winEXE@15/13@1/0
    Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\ILGDIYG
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5240:120:WilError_01
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp27DD.tmp.bat""
    Source: file.exeString found in binary or memory: [2380:424:1022/231607.422:1060263343:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --launcher=on_logon_windows into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
    Source: file.exeString found in binary or memory: [2380:424:1022/231607.422:1060263343:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [2380:424:1022/231607.422:1060263343:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: SendsPings does not exist.
    Source: file.exeString found in binary or memory: [2380:424:1022/231607.422:1060263343:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: WebAccessible does not exist.
    Source: file.exeString found in binary or memory: [2380:424:1022/231607.422:1060263343:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: AutoRunOnOSUpgrade does not exist.
    Source: file.exeString found in binary or memory: [2380:424:1022/231607.422:1060263343:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: RunAsUser does not exist.
    Source: file.exeString found in binary or memory: [2380:424:1022/231607.422:1060263343:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: FinishBrowserReplacement does not exist.
    Source: file.exeString found in binary or memory: [2380:424:1022/231607.422:1060263343:VERBOSE1:set_reg_value_work_item.cc(203)] Successfully wrote into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [2380:424:1022/231607.532:1060263453:VERBOSE1:install.cc(798)] Launching ""C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{71CC2DE6-790A-4E0A-A6B8-EA54BEF4E0CA}\EDGEMITMP_6B55F.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1" to create shortcuts
    Source: file.exeString found in binary or memory: [8468:796:1022/231607.565:1060263484:VERBOSE1:setup_main.cc(2834)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{71CC2DE6-790A-4E0A-A6B8-EA54BEF4E0CA}\EDGEMITMP_6B55F.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    Source: file.exeString found in binary or memory: [2380:424:1022/231607.875:1060263796:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
    Source: file.exeString found in binary or memory: [5204:8444:1023/091548.323:1096244234:VERBOSE1:setup_main.cc(2834)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D012F43-BE58-4954-8AD3-3C1602B8C139}\EDGEMITMP_C6419.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D012F43-BE58-4954-8AD3-3C1602B8C139}\MicrosoftEdge_X64_106.0.1370.52_106.0.1370.47.exe" --previous-version=106.0.1370.47 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [5204:8444:1023/091548.323:1096244234:VERBOSE1:setup_main.cc(2834)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D012F43-BE58-4954-8AD3-3C1602B8C139}\EDGEMITMP_C6419.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1D012F43-BE58-4954-8AD3-3C1602B8C139}\MicrosoftEdge_X64_106.0.1370.52_106.0.1370.47.exe" --previous-version=106.0.1370.47 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [5204:8444:1023/091549.057:1096244968:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView&needsadmin=true&repairtype=windowsonlinerepair /installsource scheduler into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView
    Source: file.exeString found in binary or memory: [5204:8444:1023/091549.229:1096245140:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
    Source: file.exeString found in binary or memory: [2616:2540:1030/021545.685:1675841593:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{024A7453-B322-498E-B128-451B8C130606}\EDGEMITMP_C8189.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{024A7453-B322-498E-B128-451B8C130606}\MicrosoftEdge_X64_107.0.1418.24_106.0.1370.52.exe" --previous-version=106.0.1370.52 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [2616:2540:1030/021545.685:1675841593:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{024A7453-B322-498E-B128-451B8C130606}\EDGEMITMP_C8189.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{024A7453-B322-498E-B128-451B8C130606}\MicrosoftEdge_X64_107.0.1418.24_106.0.1370.52.exe" --previous-version=106.0.1370.52 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [2616:2540:1030/021601.841:1675857750:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft%20Edge&needsadmin=true&repairtype=windowsonlinerepair /installsource windows into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge
    Source: file.exeString found in binary or memory: [2616:2540:1030/021601.950:1675857859:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --launcher=on_logon_windows into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
    Source: file.exeString found in binary or memory: [2616:2540:1030/021601.950:1675857859:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [2616:2540:1030/021601.950:1675857859:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: SendsPings does not exist.
    Source: file.exeString found in binary or memory: [2616:2540:1030/021601.950:1675857859:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: WebAccessible does not exist.
    Source: file.exeString found in binary or memory: [2616:2540:1030/021601.950:1675857859:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: AutoRunOnOSUpgrade does not exist.
    Source: file.exeString found in binary or memory: [2616:2540:1030/021601.950:1675857859:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: RunAsUser does not exist.
    Source: file.exeString found in binary or memory: [2616:2540:1030/021601.950:1675857859:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: FinishBrowserReplacement does not exist.
    Source: file.exeString found in binary or memory: [2616:2540:1030/021601.950:1675857859:VERBOSE1:set_reg_value_work_item.cc(203)] Successfully wrote into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [2616:2540:1030/021601.981:1675857890:VERBOSE1:install.cc(807)] Launching ""C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{024A7453-B322-498E-B128-451B8C130606}\EDGEMITMP_C8189.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1" to create shortcuts
    Source: file.exeString found in binary or memory: [1660:2780:1030/021602.013:1675857921:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{024A7453-B322-498E-B128-451B8C130606}\EDGEMITMP_C8189.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    Source: file.exeString found in binary or memory: [2616:2540:1030/021602.169:1675858078:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
    Source: file.exeString found in binary or memory: [9724:316:1030/121516.125:1711812031:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3A0A9F4-AD20-4F15-9361-157EB58DFB3B}\EDGEMITMP_A8F0C.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3A0A9F4-AD20-4F15-9361-157EB58DFB3B}\MicrosoftEdge_X64_107.0.1418.24_106.0.1370.52.exe" --previous-version=106.0.1370.52 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [9724:316:1030/121516.125:1711812031:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3A0A9F4-AD20-4F15-9361-157EB58DFB3B}\EDGEMITMP_A8F0C.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3A0A9F4-AD20-4F15-9361-157EB58DFB3B}\MicrosoftEdge_X64_107.0.1418.24_106.0.1370.52.exe" --previous-version=106.0.1370.52 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [9724:316:1030/121516.906:1711812812:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView&needsadmin=true&repairtype=windowsonlinerepair /installsource scheduler into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView
    Source: file.exeString found in binary or memory: [9724:316:1030/121517.094:1711813000:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
    Source: file.exeString found in binary or memory: [8872:8988:1031/181600.748:1819856640:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0EDC9740-D74D-4D43-AF61-263AC5152025}\EDGEMITMP_5B73C.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0EDC9740-D74D-4D43-AF61-263AC5152025}\MicrosoftEdge_X64_107.0.1418.26_107.0.1418.24.exe" --previous-version=107.0.1418.24 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [8872:8988:1031/181600.748:1819856640:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0EDC9740-D74D-4D43-AF61-263AC5152025}\EDGEMITMP_5B73C.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0EDC9740-D74D-4D43-AF61-263AC5152025}\MicrosoftEdge_X64_107.0.1418.26_107.0.1418.24.exe" --previous-version=107.0.1418.24 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [8872:8988:1031/181611.873:1819867765:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft%20Edge&needsadmin=true&repairtype=windowsonlinerepair /installsource windows into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge
    Source: file.exeString found in binary or memory: [8872:8988:1031/181612.029:1819867921:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --launcher=on_logon_windows into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
    Source: file.exeString found in binary or memory: [8872:8988:1031/181612.029:1819867921:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [8872:8988:1031/181612.029:1819867921:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: SendsPings does not exist.
    Source: file.exeString found in binary or memory: [8872:8988:1031/181612.029:1819867921:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: WebAccessible does not exist.
    Source: file.exeString found in binary or memory: [8872:8988:1031/181612.029:1819867921:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: AutoRunOnOSUpgrade does not exist.
    Source: file.exeString found in binary or memory: [8872:8988:1031/181612.029:1819867921:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: RunAsUser does not exist.
    Source: file.exeString found in binary or memory: [8872:8988:1031/181612.029:1819867921:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: FinishBrowserReplacement does not exist.
    Source: file.exeString found in binary or memory: [8872:8988:1031/181612.029:1819867921:VERBOSE1:set_reg_value_work_item.cc(203)] Successfully wrote into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [8872:8988:1031/181612.076:1819867968:VERBOSE1:install.cc(807)] Launching ""C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0EDC9740-D74D-4D43-AF61-263AC5152025}\EDGEMITMP_5B73C.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1" to create shortcuts
    Source: file.exeString found in binary or memory: [8488:2688:1031/181612.091:1819867984:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0EDC9740-D74D-4D43-AF61-263AC5152025}\EDGEMITMP_5B73C.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    Source: file.exeString found in binary or memory: [8872:8988:1031/181612.279:1819868171:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
    Source: file.exeString found in binary or memory: [8920:6412:1101/051520.966:1859416890:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DDABD3A5-463D-4DEC-B179-8B7F095B5879}\EDGEMITMP_06650.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DDABD3A5-463D-4DEC-B179-8B7F095B5879}\MicrosoftEdge_X64_107.0.1418.26_107.0.1418.24.exe" --previous-version=107.0.1418.24 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [8920:6412:1101/051520.966:1859416890:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DDABD3A5-463D-4DEC-B179-8B7F095B5879}\EDGEMITMP_06650.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DDABD3A5-463D-4DEC-B179-8B7F095B5879}\MicrosoftEdge_X64_107.0.1418.26_107.0.1418.24.exe" --previous-version=107.0.1418.24 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [8920:6412:1101/051521.747:1859417671:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView&needsadmin=true&repairtype=windowsonlinerepair /installsource scheduler into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView
    Source: file.exeString found in binary or memory: [8920:6412:1101/051521.919:1859417843:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
    Source: file.exeString found in binary or memory: [2380:2584:1105/201550.587:2259046484:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D2BC809-D5D0-40F3-9259-B4DE49E4741C}\EDGEMITMP_DD098.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D2BC809-D5D0-40F3-9259-B4DE49E4741C}\MicrosoftEdge_X64_107.0.1418.35_107.0.1418.26.exe" --previous-version=107.0.1418.26 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [2380:2584:1105/201550.587:2259046484:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D2BC809-D5D0-40F3-9259-B4DE49E4741C}\EDGEMITMP_DD098.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D2BC809-D5D0-40F3-9259-B4DE49E4741C}\MicrosoftEdge_X64_107.0.1418.35_107.0.1418.26.exe" --previous-version=107.0.1418.26 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [2380:2584:1105/201601.290:2259057187:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft%20Edge&needsadmin=true&repairtype=windowsonlinerepair /installsource windows into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge
    Source: file.exeString found in binary or memory: [2380:2584:1105/201601.462:2259057359:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --launcher=on_logon_windows into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
    Source: file.exeString found in binary or memory: [2380:2584:1105/201601.462:2259057359:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [2380:2584:1105/201601.462:2259057359:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: SendsPings does not exist.
    Source: file.exeString found in binary or memory: [2380:2584:1105/201601.462:2259057359:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: WebAccessible does not exist.
    Source: file.exeString found in binary or memory: [2380:2584:1105/201601.462:2259057359:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: AutoRunOnOSUpgrade does not exist.
    Source: file.exeString found in binary or memory: [2380:2584:1105/201601.462:2259057359:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: RunAsUser does not exist.
    Source: file.exeString found in binary or memory: [2380:2584:1105/201601.462:2259057359:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: FinishBrowserReplacement does not exist.
    Source: file.exeString found in binary or memory: [2380:2584:1105/201601.462:2259057359:VERBOSE1:set_reg_value_work_item.cc(203)] Successfully wrote into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [2380:2584:1105/201601.525:2259057421:VERBOSE1:install.cc(807)] Launching ""C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D2BC809-D5D0-40F3-9259-B4DE49E4741C}\EDGEMITMP_DD098.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1" to create shortcuts
    Source: file.exeString found in binary or memory: [840:3344:1105/201601.558:2259057453:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D2BC809-D5D0-40F3-9259-B4DE49E4741C}\EDGEMITMP_DD098.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    Source: file.exeString found in binary or memory: [2380:2584:1105/201601.900:2259057796:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
    Source: file.exeString found in binary or memory: [7792:8208:1106/061502.814:2294998703:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1DA54F86-800E-4E9B-AFE8-BE3157AC8E31}\EDGEMITMP_3CB92.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1DA54F86-800E-4E9B-AFE8-BE3157AC8E31}\MicrosoftEdge_X64_107.0.1418.35_107.0.1418.26.exe" --previous-version=107.0.1418.26 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [7792:8208:1106/061502.814:2294998703:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1DA54F86-800E-4E9B-AFE8-BE3157AC8E31}\EDGEMITMP_3CB92.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1DA54F86-800E-4E9B-AFE8-BE3157AC8E31}\MicrosoftEdge_X64_107.0.1418.35_107.0.1418.26.exe" --previous-version=107.0.1418.26 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [7792:8208:1106/061503.611:2294999500:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView&needsadmin=true&repairtype=windowsonlinerepair /installsource scheduler into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView
    Source: file.exeString found in binary or memory: [7792:8208:1106/061503.814:2294999703:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
    Source: file.exeString found in binary or memory: [2428:9376:1112/222024.129:2871319781:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{40069721-F2A2-42FF-A0FF-2680B12546C3}\EDGEMITMP_C7252.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{40069721-F2A2-42FF-A0FF-2680B12546C3}\MicrosoftEdge_X64_107.0.1418.42_107.0.1418.35.exe" --previous-version=107.0.1418.35 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [2428:9376:1112/222024.129:2871319781:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{40069721-F2A2-42FF-A0FF-2680B12546C3}\EDGEMITMP_C7252.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{40069721-F2A2-42FF-A0FF-2680B12546C3}\MicrosoftEdge_X64_107.0.1418.42_107.0.1418.35.exe" --previous-version=107.0.1418.35 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [2428:9376:1112/222037.774:2871333421:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft%20Edge&needsadmin=true&repairtype=windowsonlinerepair /installsource windows into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge
    Source: file.exeString found in binary or memory: [2428:9376:1112/222037.922:2871333578:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --launcher=on_logon_windows into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
    Source: file.exeString found in binary or memory: [2428:9376:1112/222037.924:2871333578:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [2428:9376:1112/222037.925:2871333578:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: SendsPings does not exist.
    Source: file.exeString found in binary or memory: [2428:9376:1112/222037.925:2871333578:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: WebAccessible does not exist.
    Source: file.exeString found in binary or memory: [2428:9376:1112/222037.925:2871333578:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: AutoRunOnOSUpgrade does not exist.
    Source: file.exeString found in binary or memory: [2428:9376:1112/222037.926:2871333578:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: RunAsUser does not exist.
    Source: file.exeString found in binary or memory: [2428:9376:1112/222037.926:2871333578:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: FinishBrowserReplacement does not exist.
    Source: file.exeString found in binary or memory: [2428:9376:1112/222037.926:2871333578:VERBOSE1:set_reg_value_work_item.cc(203)] Successfully wrote into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [2428:9376:1112/222037.966:2871333625:VERBOSE1:install.cc(807)] Launching ""C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{40069721-F2A2-42FF-A0FF-2680B12546C3}\EDGEMITMP_C7252.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1" to create shortcuts
    Source: file.exeString found in binary or memory: [5000:11148:1112/222037.981:2871333640:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{40069721-F2A2-42FF-A0FF-2680B12546C3}\EDGEMITMP_C7252.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    Source: file.exeString found in binary or memory: [2428:9376:1112/222038.189:2871333843:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
    Source: file.exeString found in binary or memory: [5624:10764:1113/082112.272:2907367906:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3BEE5AA-55FE-4F9A-9402-7DFB80C8FEAF}\EDGEMITMP_3950E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3BEE5AA-55FE-4F9A-9402-7DFB80C8FEAF}\MicrosoftEdge_X64_107.0.1418.42_107.0.1418.35.exe" --previous-version=107.0.1418.35 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [5624:10764:1113/082112.272:2907367906:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3BEE5AA-55FE-4F9A-9402-7DFB80C8FEAF}\EDGEMITMP_3950E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D3BEE5AA-55FE-4F9A-9402-7DFB80C8FEAF}\MicrosoftEdge_X64_107.0.1418.42_107.0.1418.35.exe" --previous-version=107.0.1418.35 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [5624:10764:1113/082113.037:2907368671:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView&needsadmin=true&repairtype=windowsonlinerepair /installsource scheduler into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView
    Source: file.exeString found in binary or memory: [5624:10764:1113/082113.256:2907368890:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
    Source: file.exeString found in binary or memory: [14992:13260:1120/002025.587:3483321218:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EB245740-9A45-407E-BEEC-C7784138A991}\EDGEMITMP_D9B30.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EB245740-9A45-407E-BEEC-C7784138A991}\MicrosoftEdge_X64_107.0.1418.52_107.0.1418.42.exe" --previous-version=107.0.1418.42 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [14992:13260:1120/002025.587:3483321218:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EB245740-9A45-407E-BEEC-C7784138A991}\EDGEMITMP_D9B30.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EB245740-9A45-407E-BEEC-C7784138A991}\MicrosoftEdge_X64_107.0.1418.52_107.0.1418.42.exe" --previous-version=107.0.1418.42 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [14992:13260:1120/002038.921:3483334546:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft%20Edge&needsadmin=true&repairtype=windowsonlinerepair /installsource windows into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge
    Source: file.exeString found in binary or memory: [14992:13260:1120/002039.635:3483335265:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --launcher=on_logon_windows into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
    Source: file.exeString found in binary or memory: [14992:13260:1120/002039.649:3483335281:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [14992:13260:1120/002039.665:3483335296:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: SendsPings does not exist.
    Source: file.exeString found in binary or memory: [14992:13260:1120/002039.680:3483335312:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: WebAccessible does not exist.
    Source: file.exeString found in binary or memory: [14992:13260:1120/002039.696:3483335328:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: AutoRunOnOSUpgrade does not exist.
    Source: file.exeString found in binary or memory: [14992:13260:1120/002039.711:3483335343:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: RunAsUser does not exist.
    Source: file.exeString found in binary or memory: [14992:13260:1120/002039.727:3483335359:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: FinishBrowserReplacement does not exist.
    Source: file.exeString found in binary or memory: [14992:13260:1120/002039.759:3483335390:VERBOSE1:set_reg_value_work_item.cc(203)] Successfully wrote into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [14992:13260:1120/002039.844:3483335468:VERBOSE1:install.cc(807)] Launching ""C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EB245740-9A45-407E-BEEC-C7784138A991}\EDGEMITMP_D9B30.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1" to create shortcuts
    Source: file.exeString found in binary or memory: [13752:10924:1120/002039.863:3483335500:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EB245740-9A45-407E-BEEC-C7784138A991}\EDGEMITMP_D9B30.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    Source: file.exeString found in binary or memory: [14992:13260:1120/002040.055:3483335687:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
    Source: file.exeString found in binary or memory: [13264:5252:1120/102020.076:3519315703:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{560787A6-BEB6-458F-BF31-62160949EDC1}\EDGEMITMP_8E978.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{560787A6-BEB6-458F-BF31-62160949EDC1}\MicrosoftEdge_X64_107.0.1418.52_107.0.1418.42.exe" --previous-version=107.0.1418.42 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [13264:5252:1120/102020.076:3519315703:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{560787A6-BEB6-458F-BF31-62160949EDC1}\EDGEMITMP_8E978.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{560787A6-BEB6-458F-BF31-62160949EDC1}\MicrosoftEdge_X64_107.0.1418.52_107.0.1418.42.exe" --previous-version=107.0.1418.42 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [13264:5252:1120/102020.935:3519316562:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView&needsadmin=true&repairtype=windowsonlinerepair /installsource scheduler into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView
    Source: file.exeString found in binary or memory: [13264:5252:1120/102021.154:3519316781:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
    Source: file.exeString found in binary or memory: [10724:14152:1123/182044.178:3807339812:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9BE66962-C946-4184-95BC-D9EAA97D14E9}\EDGEMITMP_67A2B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9BE66962-C946-4184-95BC-D9EAA97D14E9}\MicrosoftEdge_X64_107.0.1418.56_107.0.1418.52.exe" --previous-version=107.0.1418.52 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [10724:14152:1123/182044.178:3807339812:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9BE66962-C946-4184-95BC-D9EAA97D14E9}\EDGEMITMP_67A2B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9BE66962-C946-4184-95BC-D9EAA97D14E9}\MicrosoftEdge_X64_107.0.1418.56_107.0.1418.52.exe" --previous-version=107.0.1418.52 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [10724:14152:1123/182058.216:3807353843:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft%20Edge&needsadmin=true&repairtype=windowsonlinerepair /installsource windows into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge
    Source: file.exeString found in binary or memory: [10724:14152:1123/182058.387:3807354015:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --launcher=on_logon_windows into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
    Source: file.exeString found in binary or memory: [10724:14152:1123/182058.389:3807354015:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [10724:14152:1123/182058.389:3807354015:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: SendsPings does not exist.
    Source: file.exeString found in binary or memory: [10724:14152:1123/182058.389:3807354015:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: WebAccessible does not exist.
    Source: file.exeString found in binary or memory: [10724:14152:1123/182058.389:3807354015:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: AutoRunOnOSUpgrade does not exist.
    Source: file.exeString found in binary or memory: [10724:14152:1123/182058.390:3807354015:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: RunAsUser does not exist.
    Source: file.exeString found in binary or memory: [10724:14152:1123/182058.390:3807354015:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: FinishBrowserReplacement does not exist.
    Source: file.exeString found in binary or memory: [10724:14152:1123/182058.390:3807354015:VERBOSE1:set_reg_value_work_item.cc(203)] Successfully wrote into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [10724:14152:1123/182058.425:3807354046:VERBOSE1:install.cc(807)] Launching ""C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9BE66962-C946-4184-95BC-D9EAA97D14E9}\EDGEMITMP_67A2B.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1" to create shortcuts
    Source: file.exeString found in binary or memory: [13900:17004:1123/182058.447:3807354078:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9BE66962-C946-4184-95BC-D9EAA97D14E9}\EDGEMITMP_67A2B.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    Source: file.exeString found in binary or memory: [10724:14152:1123/182058.668:3807354296:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
    Source: file.exeString found in binary or memory: [17380:15048:1124/142058.559:3879354187:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8CC3B8EE-D3F5-4602-80D6-B8FA8E99F97E}\EDGEMITMP_7BB12.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8CC3B8EE-D3F5-4602-80D6-B8FA8E99F97E}\MicrosoftEdge_X64_107.0.1418.56_107.0.1418.52.exe" --previous-version=107.0.1418.52 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [17380:15048:1124/142058.559:3879354187:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8CC3B8EE-D3F5-4602-80D6-B8FA8E99F97E}\EDGEMITMP_7BB12.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8CC3B8EE-D3F5-4602-80D6-B8FA8E99F97E}\MicrosoftEdge_X64_107.0.1418.56_107.0.1418.52.exe" --previous-version=107.0.1418.52 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [17380:15048:1124/142059.340:3879354968:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView&needsadmin=true&repairtype=windowsonlinerepair /installsource scheduler into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView
    Source: file.exeString found in binary or memory: [17380:15048:1124/142059.559:3879355187:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
    Source: file.exeString found in binary or memory: [4804:6420:1130/212053.634:95619593:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9F6888D0-1367-490A-9CFA-74829EAB6808}\EDGEMITMP_23CD2.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9F6888D0-1367-490A-9CFA-74829EAB6808}\MicrosoftEdge_X64_107.0.1418.62_107.0.1418.56.exe" --previous-version=107.0.1418.56 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [4804:6420:1130/212053.634:95619593:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9F6888D0-1367-490A-9CFA-74829EAB6808}\EDGEMITMP_23CD2.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9F6888D0-1367-490A-9CFA-74829EAB6808}\MicrosoftEdge_X64_107.0.1418.62_107.0.1418.56.exe" --previous-version=107.0.1418.56 --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    Source: file.exeString found in binary or memory: [4804:6420:1130/212105.556:95631515:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft%20Edge&needsadmin=true&repairtype=windowsonlinerepair /installsource windows into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge
    Source: file.exeString found in binary or memory: [4804:6420:1130/212105.666:95631625:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --launcher=on_logon_windows into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
    Source: file.exeString found in binary or memory: [4804:6420:1130/212105.666:95631625:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [4804:6420:1130/212105.666:95631625:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: SendsPings does not exist.
    Source: file.exeString found in binary or memory: [4804:6420:1130/212105.666:95631625:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: WebAccessible does not exist.
    Source: file.exeString found in binary or memory: [4804:6420:1130/212105.666:95631625:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: AutoRunOnOSUpgrade does not exist.
    Source: file.exeString found in binary or memory: [4804:6420:1130/212105.666:95631625:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: RunAsUser does not exist.
    Source: file.exeString found in binary or memory: [4804:6420:1130/212105.666:95631625:VERBOSE1:delete_reg_value_work_item.cc(43)] (delete value) Key: Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost or Value: FinishBrowserReplacement does not exist.
    Source: file.exeString found in binary or memory: [4804:6420:1130/212105.666:95631625:VERBOSE1:set_reg_value_work_item.cc(203)] Successfully wrote into Software\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-startup-boost
    Source: file.exeString found in binary or memory: [4804:6420:1130/212105.728:95631687:VERBOSE1:install.cc(807)] Launching ""C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9F6888D0-1367-490A-9CFA-74829EAB6808}\EDGEMITMP_23CD2.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1" to create shortcuts
    Source: file.exeString found in binary or memory: [5360:3336:1130/212105.744:95631703:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9F6888D0-1367-490A-9CFA-74829EAB6808}\EDGEMITMP_23CD2.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    Source: file.exeString found in binary or memory: [4804:6420:1130/212105.900:95631859:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
    Source: file.exeString found in binary or memory: [7768:5188:1201/072045.917:131611875:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3406201F-8BA8-4709-A8E9-55F62F30608D}\EDGEMITMP_1BC1D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3406201F-8BA8-4709-A8E9-55F62F30608D}\MicrosoftEdge_X64_107.0.1418.62_107.0.1418.56.exe" --previous-version=107.0.1418.56 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [7768:5188:1201/072045.917:131611875:VERBOSE1:setup_main.cc(2833)] Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3406201F-8BA8-4709-A8E9-55F62F30608D}\EDGEMITMP_1BC1D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3406201F-8BA8-4709-A8E9-55F62F30608D}\MicrosoftEdge_X64_107.0.1418.62_107.0.1418.56.exe" --previous-version=107.0.1418.56 --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    Source: file.exeString found in binary or memory: [7768:5188:1201/072046.784:131612750:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /install appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView&needsadmin=true&repairtype=windowsonlinerepair /installsource scheduler into Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView
    Source: file.exeString found in binary or memory: [7768:5188:1201/072046.922:131612890:VERBOSE1:uninstall.cc(1350)] Attempting to move setup.exe to: C:\Windows\Temp\8df52ec3-6cfa-4d8c-add2-59ab3cbf0afe.tmp
    Source: file.exeString found in binary or memory: [7768:5188:1201/072047.011:131612968:VERBOSE1:set_reg_value_work_item.cc(199)] Successfully wrote value "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\msedge.exe" --from-installer into Software\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: file.exeStatic file information: File size 1487872 > 1048576
    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fa0000.0.unpack
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fa0000.0.unpack Unknown_Section0:ER;.rsrc:R;Unknown_Section2:EW; vs Unknown_Section0:ER;Unknown_Section1:R;
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAB8F6 push rbx; retf 0_2_00FAB904
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA819D push rbx; retf 0_2_00FA8212
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA814F push rbx; retf 0_2_00FA8212
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA5377 push rdx; iretd 0_2_00FA538E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA5D3E push 0000002Fh; retf 0_2_00FA5D41
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF81656C452 push cs; ret 0_2_00007FF81656C453
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF81656C418 push eax; ret 0_2_00007FF81656C419
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF81654F007 push ecx; iretd 0_2_00007FF81654F010
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF81654CF10 push cs; iretd 0_2_00007FF81654CF17
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF81656C3D4 pushfd ; ret 0_2_00007FF81656C3D5
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name:
    Source: ILGDIYG.exe.0.drStatic PE information: section name:
    Source: ILGDIYG.exe.0.drStatic PE information: section name:
    Source: file.exeStatic PE information: 0xB9B5B8CF [Mon Sep 24 06:38:07 2068 UTC]
    Source: initial sampleStatic PE information: section name: entropy: 7.994379109673305
    Source: initial sampleStatic PE information: section name: entropy: 7.994379109673305
    Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\mediaApp\ILGDIYG.exeJump to dropped file
    Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\mediaApp\ILGDIYG.exeJump to dropped file
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 0000000002DA6DEF instructions caused by: Self-modifying code
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeSpecial instruction interceptor: First address: 0000000001226D9F instructions caused by: Self-modifying code
    Source: file.exeBinary or memory string: WINDBG.EXE
    Source: file.exe, 00000000.00000002.418380043.0000000001158000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: IDAQ64.EXEWINDBG.EXEMSVSMON.EXEFDBG.EXEWIN64_REMOTEX64.EXEIDAG64.EXEX64_DBG.EXE
    Source: C:\Users\user\Desktop\file.exe TID: 5576Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 4860Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 496Thread sleep count: 9718 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1120Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5596Thread sleep count: 9777 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5588Thread sleep time: -4611686018427385s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9718Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9777Jump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: file.exe, 00000000.00000002.418742439.0000000002D90000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: <\\.\VBoxGuest
    Source: file.exeBinary or memory string: \\.\VBoxGuest

    Anti Debugging

    barindex
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugObjectHandleJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugFlagsJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeProcess queried: DebugPortJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeProcess queried: DebugPortJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeProcess queried: DebugObjectHandleJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeProcess queried: DebugFlagsJump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'Jump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'Jump to behavior
    Source: C:\Users\user\Desktop\file.exeThread register set: 5020 501Jump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'Jump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'Jump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp27DD.tmp.bat""Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\mediaApp\ILGDIYG.exe "C:\ProgramData\mediaApp\ILGDIYG.exe" Jump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeQueries volume information: C:\ProgramData\mediaApp\ILGDIYG.exe VolumeInformationJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeQueries volume information: C:\ProgramData\mediaApp\ILGDIYG.exe VolumeInformationJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeQueries volume information: C:\ProgramData\mediaApp\ILGDIYG.exe VolumeInformationJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeQueries volume information: C:\ProgramData\mediaApp\ILGDIYG.exe VolumeInformationJump to behavior
    Source: C:\ProgramData\mediaApp\ILGDIYG.exeQueries volume information: C:\ProgramData\mediaApp\ILGDIYG.exe VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts2
    Command and Scripting Interpreter    		Path Interception111
    Process Injection    		1
    Masquerading    		OS Credential Dumping411
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts1
    Scripting    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
    Disable or Modify Tools    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Non-Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
    Virtualization/Sandbox Evasion    		Security Account Manager131
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Scripting    		LSA Secrets111
    System Information Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Obfuscated Files or Information    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items22
    Software Packing    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
    Timestomp    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 763436 Sample: file.exe Startdate: 08/12/2022 Architecture: WINDOWS Score: 100 33 xmr-eu1.nanopool.org 2->33 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Xmrig cryptocurrency miner 2->43 45 DNS related to crypt mining pools 2->45 47 2 other signatures 2->47 8 file.exe 5 2->8         started        signatures3 process4 file5 29 C:\ProgramData\mediaApp\ILGDIYG.exe, MS-DOS 8->29 dropped 31 C:\Users\user\AppData\Local\...\file.exe.log, CSV 8->31 dropped 49 Detected unpacking (changes PE section rights) 8->49 51 Detected unpacking (overwrites its own PE header) 8->51 53 Sets debug register (to hijack the execution of another thread) 8->53 55 2 other signatures 8->55 12 cmd.exe 1 8->12         started        14 powershell.exe 20 8->14         started        16 powershell.exe 19 8->16         started        signatures6 process7 process8 18 ILGDIYG.exe 12->18         started        21 conhost.exe 12->21         started        23 timeout.exe 1 12->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        signatures9 35 Multi AV Scanner detection for dropped file 18->35 37 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->37 39 Tries to evade debugger and weak emulator (self modifying code) 18->39

    Screenshots

    Download Video

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe38%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\ProgramData\mediaApp\ILGDIYG.exe25%ReversingLabsWin64.Trojan.Lazy

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    https://go.microsoft.co0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    http://179.43.141.116/VERBORROV.php0%Avira URL Cloudsafe
    http://179.43.141.116/VERBORROV.php0%VirustotalBrowse
    http://179.43.141.116/DLCGHOUL.php0%Avira URL Cloudsafe
    http://179.43.141.116/NLIFE.php0%Avira URL Cloudsafe
    http://179.43.141.116/0%Avira URL Cloudsafe
    http://179.43.141.116/NLIFE.php2%VirustotalBrowse
    http://179.43.141.116/DLIMSORRY.phpDLEBEBRA2.phpNLIFE.phpDLCGHOUL.phpVERBORROV.phpChromeApp.datchrom0%Avira URL Cloudsafe
    http://179.43.141.116/DLCGHOUL.php0%VirustotalBrowse
    http://179.43.141.116/DLEBEBRA2.php0%Avira URL Cloudsafe
    http://179.43.141.116/DLIMSORRY.php0%Avira URL Cloudsafe

    Domains and IPs

    Download Network PCAP: filteredfull

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    xmr-eu1.nanopool.org
    		51.68.190.80
    		truefalse
      		high
      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.637847274.000002931005D000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://179.43.141.116/VERBORROV.phpfile.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.506256366.0000029300209000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://go.microsoft.copowershell.exe, 00000002.00000003.492632195.000002936A063000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.519080549.0000028C1FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.506256366.0000029300209000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.506256366.0000029300209000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://179.43.141.116/NLIFE.phpfile.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpfalse
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://go.micropowershell.exe, 00000001.00000003.438539315.0000028C21924000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.435724062.0000028C2183E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.433639856.0000028C217A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.436238490.0000028C21872000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.519080549.0000028C1FE1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.506256366.0000029300209000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/powershell.exe, 00000002.00000002.637847274.000002931005D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.637847274.000002931005D000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000002.00000002.637847274.000002931005D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000002.00000002.637847274.000002931005D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://179.43.141.116/DLCGHOUL.phpfile.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://179.43.141.116/DLIMSORRY.phpDLEBEBRA2.phpNLIFE.phpDLCGHOUL.phpVERBORROV.phpChromeApp.datchromfile.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.508908266.0000028C1FC11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.498226351.0000029300001000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://179.43.141.116/file.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.506256366.0000029300209000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://179.43.141.116/DLEBEBRA2.phpfile.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://179.43.141.116/DLIMSORRY.phpfile.exe, 00000000.00000002.419648290.0000000003C9A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox Version:36.0.0 Rainbow Opal
                    Analysis ID:763436
                    Start date and time:2022-12-08 13:31:36 +01:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 11m 1s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:file.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:15
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.evad.mine.winEXE@15/13@1/0
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 41.9% (good quality ratio 34.9%)
                    • Quality average: 60.7%
                    • Quality standard deviation: 28.8%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                    • Execution Graph export aborted for target file.exe, PID 5020 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    13:33:20API Interceptor84x Sleep call for process: powershell.exe modified
                    13:34:40Task SchedulerRun new task: ILGDIYG path: C:\ProgramData\mediaApp\ILGDIYG.exe

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    xmr-eu1.nanopool.orgfile.exeGet hashmaliciousBrowse
                    • 51.68.143.81
                    file.exeGet hashmaliciousBrowse
                    • 51.15.65.182
                    file.exeGet hashmaliciousBrowse
                    • 51.68.190.80
                    file.exeGet hashmaliciousBrowse
                    • 51.68.137.66
                    file.exeGet hashmaliciousBrowse
                    • 51.15.78.68
                    file.exeGet hashmaliciousBrowse
                    • 51.15.78.68
                    file.exeGet hashmaliciousBrowse
                    • 51.15.78.68
                    file.exeGet hashmaliciousBrowse
                    • 51.83.33.228
                    file.exeGet hashmaliciousBrowse
                    • 51.255.34.118
                    file.exeGet hashmaliciousBrowse
                    • 51.68.137.66
                    file.exeGet hashmaliciousBrowse
                    • 51.15.54.102
                    file.exeGet hashmaliciousBrowse
                    • 51.15.58.224
                    file.exeGet hashmaliciousBrowse
                    • 46.105.31.147
                    file.exeGet hashmaliciousBrowse
                    • 51.255.34.118
                    file.exeGet hashmaliciousBrowse
                    • 51.15.78.68
                    file.exeGet hashmaliciousBrowse
                    • 51.68.137.66
                    file.exeGet hashmaliciousBrowse
                    • 51.68.190.80
                    file.exeGet hashmaliciousBrowse
                    • 51.255.34.118
                    file.exeGet hashmaliciousBrowse
                    • 135.125.238.108
                    file.exeGet hashmaliciousBrowse
                    • 51.15.54.102

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\mediaApp\ILGDIYG.exe

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:MS-DOS executable PE32+ executable (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):1487872
                    Entropy (8bit):7.088673659742136
                    Encrypted:false
                    SSDEEP:24576:IvQbM3SfAES6h9ofAasIUSdHxHBB1dL/Us7bIDEuSuFBH/glqAcFtD3FTesWpDx8:IvQbM3SfAES6h9ofAasIUSdHxHBB1dLt
                    MD5:C52068B30D8334CEC7C485A9499425A3
                    SHA1:CBAB6BAEF2510F1628B566204B0A772BACC2B572
                    SHA-256:9BDAAF29A346C7C0F031D771985DD3AF1CB50A01A9D9089CDE17109454F9526D
                    SHA-512:F753421ED384551F1D57DCEF7F90221127780020E5BDABE5EBF1EDD4F2DFC233E005F3E7731A2241B1FF44A18A1DA2F343169BD8142E489DCAC06B4B79841B61
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 25%
                    Preview:MZ..Q...NA$...wQF....>....;.,.pA.W..).^...U#...F..|...Fl^............!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................PE..d................"...0..O..,............ ....@...... ....................... .......'....@...@......@............... ..................................<........................................................................................................................ ...................... ..`.rsrc...<...........................@..@...................................`...........................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\mediaApp\uninstall.dat

                    Download File
                    Process:C:\ProgramData\mediaApp\ILGDIYG.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):5389328
                    Entropy (8bit):7.9999647519387125
                    Encrypted:true
                    SSDEEP:98304:7MON6o/Op1SeSvQ4LJpDAf0WUzGJuZmd/7P2FqMakLWa6c0pPqFluJDUs4/G+f:7MOcr7+LJpUf6aJuk7Mak6rczFluNUNB
                    MD5:A3D7148655137E92C28B33E48D088088
                    SHA1:BC98804ABF481E58C925A0810C519C6C5F2D3AC0
                    SHA-256:5B0BFB92BB76A12C69669A08EF723377B9EAAF50EAB6FE83B4C3F21D593F998F
                    SHA-512:CA131CE06BC6CBD47A58CC11F80A4DB576EFFA3325F11222123FD6829589F29F894834679E09C3E50A50EF8019325D1A6FFFAB07D49FDA43179A544EA4697373
                    Malicious:false
                    Preview:.....Y0.{.d...-s..sCu..RB..z..$.$F.2.b.........(dZ./..W\O...o`T<..........b\....F...9H.~^.tl.......z.-L..AC.).%We1.@.P......{X...mF..O.....b..F...\....C."..].~...t.c..Gg..+..R<.yq...y......;GO........~...X..9..;..7...5Dy.A.!...R.,.0.....J.! 5.e...<s:....r=}[.......?..w.i)Y..*...6.!..=.8...V.-.....a...M.=...4.?.pr..y.]..m..9.4.X..f.j.W.7..?k..op....N)..'.....W\K.&.[.....cFip$......T...(..%.........\.."....pn..Q@Dl.. .ge%..z..a....\Qh.ls..^.8_.K..\.D .......yD....;......D.s...N6.S.1....X..3!p&.;.....1....'~_.+pc...v3....b..^f......\q.E...@@.........3.y.i..5`...E'.L...PM..Yq.frX.wXm.vRG......X@......p.=.6........^.......S...1.. /.#X.u.....l.*....U..'..4.Z.o....Bo..<. '....`.s..d...6t.....t(/]]&./rI.f..N...dj..S`.(.1_.@.|....U`../D..]9.O..u.!.?4....:C...=.7...gg.:.=..d...H.~..I....9;..q..9....E.u>>M.Se..\].>..O.~.....n.'..Nj.p..}..[....{RAAQ....eE..f_.=.X..!...#.7.....kY.).^..>.on..7..T....{..m.5...Zz.. z..1[..}?..r.p.*...7L....r.tgb..4.....3..@.P

                    C:\ProgramData\screen.jpg

                    Download File
                    Process:C:\ProgramData\mediaApp\ILGDIYG.exe
                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                    Category:dropped
                    Size (bytes):95225
                    Entropy (8bit):7.917118889034992
                    Encrypted:false
                    SSDEEP:1536:Cs1w4Z3Vx9l/u05MNSWKwNLFb0B/TKxCH8qHwRDBt+gjzm41AEL:t1XZ3tl2Z/KuL6B/UCcMi7jzmYT
                    MD5:5350B9834AD582A8D4F4688A95CD4DEA
                    SHA1:11BBA495AB8550B0EB030CC8A87E64C4341E80CA
                    SHA-256:38E8D3DA7CD9C443557EA94B4EB29A56D3D637534668FDFF980C448DA10FF49E
                    SHA-512:EA3C7F820A08A7A3E8BFDE9FB519FEFD61C208343B0CD82600C4F73EEB7369A587C14A9EFDD1F08C8968CEAAAFC5AD7A17231880921A7A570D47A5C8A185F5EF
                    Malicious:false
                    Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(..Y.)....\..._.|.'..wy.....h..S'.8.gc.k...S~.............?.M....?.7?...Y.x.{&|.E{....B.......~..

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ILGDIYG.exe.log

                    Download File
                    Process:C:\ProgramData\mediaApp\ILGDIYG.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):1498
                    Entropy (8bit):5.35852734882506
                    Encrypted:false
                    SSDEEP:24:ML9E4KrL1qE4GiD0E4KeGasXE4+jKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGpH+jYHKGD8AoPtHt
                    MD5:6A58EE2A7D4DC730F93D30EEBDCEB10B
                    SHA1:99050F652EC029E2E692B558D4A413D1530D32A1
                    SHA-256:9BBDE201A4B928272C49A58B7B69B29D996AC5D5431EB77ACFD6A96F8C19CE95
                    SHA-512:05B07348E177115CC694C8AA41CA618AA6556B45CE1B1E50A02CCB44885E30FD16722FD7B1A9DCEE56A751EF3339B4DEAB455EEF2080794145CA8070CE7D890C
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.3

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):660
                    Entropy (8bit):5.390020766762198
                    Encrypted:false
                    SSDEEP:12:Q3La/KDLI4MWuPTxAI51KDLI4MN5P6D1BakvoDLI4MWuPak2kL0nk7v:ML9E4KrL1qE4GiD0E4KeGj
                    MD5:ED176F7B2A92AFE2E5D2FE638497B180
                    SHA1:AC0CE61B4C1398CE766F3C34269C7B6AEDE78926
                    SHA-256:08EDDC037583A4B1815D4FBC4A4CA7356BF81A7F7D5E72F1EBA6289474D94B65
                    SHA-512:A83D3A4E144576DB06390142ECAF7527D858635FA5DF9CD6ABB7DA67CA91D8647216088023E9C79A06D1DC6BCAE380DE11175B2DA85A5C44E1ABBAB0330BCB06
                    Malicious:true
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):18817
                    Entropy (8bit):5.004929862695359
                    Encrypted:false
                    SSDEEP:384:Kwib4LEVoGIpN6KQkj2jkjh4iUxLzp0ifOdBVNXp5xvOjJpYoY4Qib4w:KEEV3IpNBQkj22h4iUxLzp0ifOdBVNZY
                    MD5:DA4B150893016C59B1E5DE988406A425
                    SHA1:9CAF9C1A8F844A0FA8D88DC30F29BE7B023E7079
                    SHA-256:5107772D1007FD535B026DF52ADF8864E7C2D4C1ACAB3CD03A5C112517A426DF
                    SHA-512:533A894A8EBB39BF2D785C8E715615A994DF6D797650FCD1D7A3949C90F2682B24BFA596BD2CED15B7BA8817483E68D96D968AC64D784176D53584A116ECEDE0
                    Malicious:false
                    Preview:PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1296
                    Entropy (8bit):5.348699259158066
                    Encrypted:false
                    SSDEEP:24:3vJPpQrLAo4KAxX5qRPD42HOoVZe9t4CvKuKnKJRSF8PQAM:BPerB4nqRL/Hvfe9t4Cv94aR48oAM
                    MD5:1CC3B13F744ADD4450C6CDC733A429DA
                    SHA1:64D285E38198EA9265951B03AC728F9F9516FB7E
                    SHA-256:3E78528319AF351A6B0A0E255F231E9DFD88DA379CE827F62F09883D0E6A9F2F
                    SHA-512:BBE1C678A33031F91864C80D56D1672FCEDC8C63F2CC49C5A718F8D86A444D0D0B94A83B043AA472E207C00A97254FA827118BCD2B218F5BAE71EDEBBEB43B85
                    Malicious:false
                    Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gqnqw3wf.s2y.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3:U:U
                    MD5:C4CA4238A0B923820DCC509A6F75849B
                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                    Malicious:false
                    Preview:1

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mj2mp4gu.orw.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3:U:U
                    MD5:C4CA4238A0B923820DCC509A6F75849B
                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                    Malicious:false
                    Preview:1

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0jf0zpu.gkp.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3:U:U
                    MD5:C4CA4238A0B923820DCC509A6F75849B
                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                    Malicious:false
                    Preview:1

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nsmnrifw.hbi.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3:U:U
                    MD5:C4CA4238A0B923820DCC509A6F75849B
                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                    Malicious:false
                    Preview:1

                    C:\Users\user\AppData\Local\Temp\tmp27DD.tmp.bat

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):144
                    Entropy (8bit):5.130092516705764
                    Encrypted:false
                    SSDEEP:3:mKDDCMNqTtvL5mZkREHvcTspCgJSmqRDt+kiE2J5xAInTRI9SdGZPy:hWKqTtTPacHmq1wkn23fTddGk
                    MD5:F8974C88993CF2C50C3F0FAA834FE956
                    SHA1:B06D4CC58BB4DEF32932718D09F9F2682BAA45E8
                    SHA-256:76A1783A6CC1594ABF08E923E277BE30EABFAAA46E0DC16042781663FA4A238C
                    SHA-512:B6559C718A334E8736080CA64E5155F44DF820591134DB09A3D4A5D72879A146CA95037BAB9BF028E4491126A44518F9705090BFCF09209607558BA7F442B06B
                    Malicious:false
                    Preview:@echo off..timeout 3 > NUL..START "" "C:\ProgramData\mediaApp\ILGDIYG.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp27DD.tmp.bat" /f /q..

                    \Device\Null

                    Download File
                    Process:C:\Windows\System32\timeout.exe
                    File Type:ASCII text, with CRLF line terminators, with overstriking
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.41440934524794
                    Encrypted:false
                    SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                    MD5:3DD7DD37C304E70A7316FE43B69F421F
                    SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                    SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                    SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                    Malicious:false
                    Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                    Static File Info

                    General

                    File type:MS-DOS executable PE32+ executable (GUI) x86-64, for MS Windows
                    Entropy (8bit):7.088673659742136
                    TrID:
                    • Win64 Executable GUI (202006/5) 93.52%
                    • Win64 Executable (generic) (12005/4) 5.56%
                    • DOS Executable Generic (2002/1) 0.93%
                    File name:file.exe
                    File size:1487872
                    MD5:c52068b30d8334cec7c485a9499425a3
                    SHA1:cbab6baef2510f1628b566204b0a772bacc2b572
                    SHA256:9bdaaf29a346c7c0f031d771985dd3af1cb50a01a9d9089cde17109454f9526d
                    SHA512:f753421ed384551f1d57dcef7f90221127780020e5bdabe5ebf1edd4f2dfc233e005f3e7731a2241b1ff44a18a1da2f343169bd8142e489dcac06b4b79841b61
                    SSDEEP:24576:IvQbM3SfAES6h9ofAasIUSdHxHBB1dL/Us7bIDEuSuFBH/glqAcFtD3FTesWpDx8:IvQbM3SfAES6h9ofAasIUSdHxHBB1dLt
                    TLSH:4E653B0276CA5096FB93B6F15BF5EB38937BB2D3C2C54A2D35AA650386C1E410E160F7
                    File Content Preview:MZ..Q...NA$...wQF......>.....;.,.pA.W..).^...U#...F..|...Fl^............!..L.!This program cannot be run in DOS mode....$......................................................................................................................................

                    File Icon

                    Icon Hash:00828e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x5b81b8
                    Entrypoint Section:
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Time Stamp:0xB9B5B8CF [Mon Sep 24 06:38:07 2068 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:796f43dede9da30aa343765b717da9aa
                    Instruction
                    jmp 00007FACF06F5014h
                    jmp 00007FACF06F519Ch
                    jmp 00007FACF06F4D35h
                    xor dword ptr [esi], 75h
                    hlt
                    jmp 00007FACF06F4F4Ch
                    jmp 00007FACF06F4D34h
                    adc dword ptr [ebp+03E0840Fh], ebp
                    add byte ptr [eax], al
                    jmp 00007FACF06F4F00h
                    nop
                    jmp 00007FACF06F4D34h
                    cmp byte ptr [ebx+41h], cl
                    shl edx, 10h
                    jmp 00007FACF06F4D35h
                    add byte ptr [ebx-2FF4BA33h], bl
                    jnc 00007FACF06F4D34h
                    adc dword ptr [ebp-143D74BFh], 01h
                    mov dword ptr [08C48348h], eax
                    jmp 00007FACF06F4D33h
                    mov word ptr [ecx], seg?
                    add eax, 0000041Ch
                    jno 00007FACF06F4D33h
                    dec ax
                    lea edx, dword ptr [0000041Ah]
                    jmp 00007FACF06F4D33h
                    cmp byte ptr [ebx+ecx*4+05h], al
                    or al, 04h
                    add byte ptr [eax], al
                    jmp 00007FACF06F4D33h
                    fimul dword ptr [ebp+ecx*4+0Dh]
                    add eax, dword ptr [eax]
                    add bl, ch
                    add edi, eax
                    xor dword ptr [000003EDh], eax
                    jc 00007FACF06F4D9Eh
                    xor dword ptr [000003E9h], eax
                    jno 00007FACF06F4D34h
                    xor dword ptr [ecx+esi+0003D705h], ebp
                    add byte ptr [eax+4Fh], dh
                    dec eax
                    lea ecx, dword ptr [000003E2h]
                    jmp 00007FACF06F4D34h
                    mov al, byte ptr [edi+edx*2+56E201EBh]
                    jmp 00007FACF06F4D34h
                    arpl word ptr [edx+41h], di
                    push esp
                    jmp 00007FACF06F4D33h
                    xor byte ptr [ecx+55h], al
                    jmp 00007FACF06F4D35h
                    add eax, 564172CFh
                    jmp 00007FACF06F4D35h
                    retn 4165h
                    push edi
                    jmp 00007FACF06F4D34h
                    inc esp
                    ficom word ptr [ebx-15h]
                    add esp, dword ptr [ebp+08h]
                    movsd
                    dec eax
                    mov edi, edx
                    jmp 00007FACF06F4D34h
                    fisttp dword ptr [eax+ecx*2-75h]
                    int1
                    jmp 00007FACF06F4D33h
                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1b80000x1b8
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xde0000xd863c.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    0x20000xdb8a80x0False0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0xde0000xd863c0xd8800False0.11087029084872979data5.594375506290896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    0x1b80000x196f00x19800False0.9971469056372549data7.994379109673305IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    NameRVASizeTypeLanguageCountry
                    MSEDGE0xde0e40x84025ASCII text, with very long lines (480)
                    MUI0x16217c0xc00PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    MUI0x162da40x118dataEnglishUnited States
                    REGISTRY0x162f180x26bASCII text, with CRLF line terminatorsEnglishUnited States
                    REGISTRY0x1631ac0x2a3ASCII text, with CRLF line terminatorsEnglishUnited States
                    XSD0x16349c0x7f2XML 1.0 document, ASCII text, with very long lines (1629), with CRLF line terminatorsEnglishUnited States
                    RT_CURSOR0x163d280x134Targa image data 64 x 65536 x 1 +32 "\001"ChineseChina
                    RT_CURSOR0x163e840x134dataChineseChina
                    RT_CURSOR0x163fe00x134AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdChineseChina
                    RT_CURSOR0x16413c0x134dataChineseChina
                    RT_CURSOR0x1642980x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"ChineseChina
                    RT_CURSOR0x1643f40x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"ChineseChina
                    RT_CURSOR0x1645500x134Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"ChineseChina
                    RT_CURSOR0x1646ac0x134dataChineseChina
                    RT_CURSOR0x1648080x134dataChineseChina
                    RT_CURSOR0x1649640x134dataChineseChina
                    RT_CURSOR0x164ac00x134dataChineseChina
                    RT_CURSOR0x164c1c0x134dataChineseChina
                    RT_BITMAP0x164d980xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80ChineseChina
                    RT_BITMAP0x164e780x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina
                    RT_FONTDIR0x1650100x9bWindows Precompiled iNF, version 0.1, InfStyle 1, flags 0x100, at 0x8434cb4b,, LanguageID 9800, at 0x6d677066, at 0xaaa589ddEnglishUnited States
                    RT_FONT0x1650ec0x377cTrueType Font data, digitally signed, 14 tables, 1st "DSIG", 45 names, Macintosh, \251 2004 Microsoft Corporation, all rights reserved.VisualUI is a trademark of Microsoft CorpoEnglishUnited States
                    RT_MESSAGETABLE0x1688a80x41aa4dataEnglishUnited States
                    RT_GROUP_CURSOR0x1aa3e40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x1aa4200x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x1aa45c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x1aa4980x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x1aa4d40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x1aa5100x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x1aa54c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x1aa5880x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x1aa5c40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x1aa6000x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x1aa63c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_GROUP_CURSOR0x1aa6780x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
                    RT_MANIFEST0x1aa6cc0xbe02ASCII text, with very long lines (48642), with no line terminatorsEnglishUnited States
                    RT_RCDATA0x1b65100x129data
                    DLLImport
                    shell32.dllSHGetDiskFreeSpaceA
                    mscoree.dll_CorExeMain
                    advapi32.dllRegOpenKeyExA
                    user32.dllEndDialog
                    kernel32.dllGetModuleHandleA

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States
                    ChineseChina

                    Network Behavior

                    Download Network PCAP: filteredfull

                    TimestampSource PortDest PortSource IPDest IP
                    Dec 8, 2022 13:34:45.342264891 CET5091153192.168.2.48.8.8.8
                    Dec 8, 2022 13:34:45.363445997 CET53509118.8.8.8192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Dec 8, 2022 13:34:45.342264891 CET192.168.2.48.8.8.80x9268Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org51.68.190.80A (IP address)IN (0x0001)false
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org51.83.33.228A (IP address)IN (0x0001)false
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org51.15.54.102A (IP address)IN (0x0001)false
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org46.105.31.147A (IP address)IN (0x0001)false
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org135.125.238.108A (IP address)IN (0x0001)false
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org51.68.137.66A (IP address)IN (0x0001)false
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org51.68.143.81A (IP address)IN (0x0001)false
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org51.15.69.136A (IP address)IN (0x0001)false
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org51.255.34.118A (IP address)IN (0x0001)false
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org51.15.78.68A (IP address)IN (0x0001)false
                    Dec 8, 2022 13:34:45.363445997 CET8.8.8.8192.168.2.40x9268No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    • File
                    • Registry

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:13:32:33
                    Start date:08/12/2022
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\Desktop\file.exe
                    Imagebase:0xfa0000
                    File size:1487872 bytes
                    MD5 hash:C52068B30D8334CEC7C485A9499425A3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:low
                    Show Windows behavior

                    File Activities

                    Show Windows behavior

                    Section Activities

                    Show Windows behavior

                    Registry Activities

                    Show Windows behavior

                    Mutex Activities

                    Show Windows behavior

                    Process Activities

                    Show Windows behavior

                    Thread Activities

                    Show Windows behavior

                    Memory Activities

                    Show Windows behavior

                    System Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    Show Windows behavior

                    Windows UI Activities

                    Process Token Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    General

                    Target ID:1
                    Start time:13:33:17
                    Start date:08/12/2022
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
                    Imagebase:0x7ff64b7b0000
                    File size:447488 bytes
                    MD5 hash:95000560239032BC68B4C2FDFCDEF913
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:high
                    Show Windows behavior

                    File Activities

                    Show Windows behavior

                    Section Activities

                    Show Windows behavior

                    Registry Activities

                    Show Windows behavior

                    COM Activities

                    Powershell Activities

                    Show Windows behavior

                    Mutex Activities

                    Show Windows behavior

                    Process Activities

                    Show Windows behavior

                    Thread Activities

                    Show Windows behavior

                    Memory Activities

                    Show Windows behavior

                    System Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    Show Windows behavior

                    Windows UI Activities

                    Show Windows behavior

                    Process Token Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    General

                    Target ID:2
                    Start time:13:33:17
                    Start date:08/12/2022
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
                    Imagebase:0x7ff64b7b0000
                    File size:447488 bytes
                    MD5 hash:95000560239032BC68B4C2FDFCDEF913
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:high
                    Show Windows behavior

                    File Activities

                    Show Windows behavior

                    Section Activities

                    Show Windows behavior

                    Registry Activities

                    Show Windows behavior

                    COM Activities

                    Powershell Activities

                    Show Windows behavior

                    Mutex Activities

                    Show Windows behavior

                    Process Activities

                    Show Windows behavior

                    Thread Activities

                    Show Windows behavior

                    Memory Activities

                    Show Windows behavior

                    System Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    Show Windows behavior

                    Windows UI Activities

                    Show Windows behavior

                    Process Token Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    General

                    Target ID:3
                    Start time:13:33:17
                    Start date:08/12/2022
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7c72c0000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Show Windows behavior

                    Memory Activities


                    General

                    Target ID:4
                    Start time:13:33:17
                    Start date:08/12/2022
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7c72c0000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Show Windows behavior

                    Memory Activities


                    General

                    Target ID:5
                    Start time:13:33:20
                    Start date:08/12/2022
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp27DD.tmp.bat""
                    Imagebase:0x7ff632260000
                    File size:273920 bytes
                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Show Windows behavior

                    File Activities

                    Show Windows behavior

                    Section Activities

                    Show Windows behavior

                    Process Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    Show Windows behavior

                    Memory Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    General

                    Target ID:6
                    Start time:13:33:21
                    Start date:08/12/2022
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7c72c0000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Show Windows behavior

                    File Activities

                    Show Windows behavior

                    Section Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    Show Windows behavior

                    Mutex Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    Show Windows behavior

                    Thread Activities

                    Show Windows behavior

                    Memory Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    General

                    Target ID:7
                    Start time:13:33:21
                    Start date:08/12/2022
                    Path:C:\Windows\System32\timeout.exe
                    Wow64 process (32bit):false
                    Commandline:timeout 3
                    Imagebase:0x7ff70bcb0000
                    File size:30720 bytes
                    MD5 hash:EB9A65078396FB5D4E3813BB9198CB18
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Show Windows behavior

                    File Activities

                    Show Windows behavior

                    Section Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    Thread Activities

                    Show Windows behavior

                    Memory Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    General

                    Target ID:8
                    Start time:13:33:24
                    Start date:08/12/2022
                    Path:C:\ProgramData\mediaApp\ILGDIYG.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\ProgramData\mediaApp\ILGDIYG.exe"
                    Imagebase:0x930000
                    File size:1487872 bytes
                    MD5 hash:C52068B30D8334CEC7C485A9499425A3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Antivirus matches:
                    • Detection: 25%, ReversingLabs
                    Show Windows behavior

                    File Activities

                    Show Windows behavior

                    Section Activities

                    Show Windows behavior

                    Registry Activities

                    Show Windows behavior

                    Mutex Activities

                    Show Windows behavior

                    Process Activities

                    Show Windows behavior

                    Thread Activities

                    Show Windows behavior

                    Memory Activities

                    Show Windows behavior

                    System Activities

                    Show Windows behavior

                    Windows UI Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    Disassembly

                    Executed Functions

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eb735fff942294bbe314968ba6a22735f81b1b0977ff1f21ae06cfdffdb0c705
                    • Instruction ID: f101bf51636e721d106d47f31b60264605bf6c2c6627a9c5482a823682fc586d
                    • Opcode Fuzzy Hash: eb735fff942294bbe314968ba6a22735f81b1b0977ff1f21ae06cfdffdb0c705
                    • Instruction Fuzzy Hash: FB82F631A189028FD759EB28CCD2AB537E1FB55771B480175C68AD72B2DE34BC62CB81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2d8fd3db78e841123bb6dd190623226084506e4aab3244f77efa9079b576c102
                    • Instruction ID: 551b6d654fc28b99f57ed679c4e405197f71bef91659a4933fc49d0300c08369
                    • Opcode Fuzzy Hash: 2d8fd3db78e841123bb6dd190623226084506e4aab3244f77efa9079b576c102
                    • Instruction Fuzzy Hash: C3A22A31A194038FD75ADB14CCD2A2633F2FB593757588264CA86C7274EBB4B872CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.433238656.00007FF816540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816540000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff816540000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 98e01fd74c067f489dd469a97493414632a967de735e36910131b64aff6622e5
                    • Instruction ID: 6b40c980137a00a84abe627857a0ef3b6c32fb71e87ce51001759af8141af31b
                    • Opcode Fuzzy Hash: 98e01fd74c067f489dd469a97493414632a967de735e36910131b64aff6622e5
                    • Instruction Fuzzy Hash: 81F15172D1C5434AEB39DB28DC061F93B90EF543B5F2053BAD489C6592FE18612F86E2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9d721f00a5a21a0ed59abde42f35fc3f408536dd7923eb211ce7abd330793b38
                    • Instruction ID: f885df8b5cedd8453c17461ae741f8cec33b147cece6c3964e170bb4a9204d48
                    • Opcode Fuzzy Hash: 9d721f00a5a21a0ed59abde42f35fc3f408536dd7923eb211ce7abd330793b38
                    • Instruction Fuzzy Hash: E5E18F31A188098FEB94FB28C8D5BB973E2FF98361B454175D44EC72A6DE64BC61CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 75de2d0085422e93675e9672eab002115cab2c24038a3758ad21820e539d6733
                    • Instruction ID: 097874cb0e07e3e9c1912737d76bf8e23ddd59ed9c4df0e079a04cff1ff24a72
                    • Opcode Fuzzy Hash: 75de2d0085422e93675e9672eab002115cab2c24038a3758ad21820e539d6733
                    • Instruction Fuzzy Hash: 5E919631E18A058FEB54FB38C496AB9B7E1EF58360B154679D04EC7296DE38B851CB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f3478e877b3891f5e8d4806ecd1e3c0a0295f5cc453bdccd087d0c0c7bd1c533
                    • Instruction ID: c99a7798089a0254895e6bb773f39e1ab48ade446c3ba87fd0f67fdf6368db14
                    • Opcode Fuzzy Hash: f3478e877b3891f5e8d4806ecd1e3c0a0295f5cc453bdccd087d0c0c7bd1c533
                    • Instruction Fuzzy Hash: AB418031B088058BE7A8DB28C8D1A7533E2EB597B1B548175D44DDB3E5DE287C71CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f9be51430f76a599e5748ccfccf76f0301b28c11e02f293e2f64824c20b8bcd4
                    • Instruction ID: e52fa55f9cd9d1605b0f105d8231d4d9aa271fa53ca29958c61b8487f21e2cef
                    • Opcode Fuzzy Hash: f9be51430f76a599e5748ccfccf76f0301b28c11e02f293e2f64824c20b8bcd4
                    • Instruction Fuzzy Hash: 49D0C96BA5E06118AA0172BDB4271D95F408E526BA7141473E2CC9D563890868CE8595
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fd6d716e96176888e367bb7d26db5b2caf8ed39049f234c9c5d523db642dc2bc
                    • Instruction ID: 63931033c78d0f8425eb9847af73e3649016381b9d6beff775d6a5819bcc5cdd
                    • Opcode Fuzzy Hash: fd6d716e96176888e367bb7d26db5b2caf8ed39049f234c9c5d523db642dc2bc
                    • Instruction Fuzzy Hash: 85A1E432A085038FD709EF58DED2AA537E0EB9473131C0135C68AD7672DA34B876EB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0333b3d3711353a7094d709fa28f634179593c56b40269c18c29406b5d7b3764
                    • Instruction ID: ffaba366c8345195422e93f45421ed59fff7aeb8f2030a21d9d102e11888b777
                    • Opcode Fuzzy Hash: 0333b3d3711353a7094d709fa28f634179593c56b40269c18c29406b5d7b3764
                    • Instruction Fuzzy Hash: B891BC31A095038FD70ADF18CED2AA537E1FB9473131C4225C68AE7671DA34B872EB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d11452887fc2965b6748aeae321f2474a20c046708e31cc72cdbdd15c9b65ced
                    • Instruction ID: 3b3db21957bcf30cbf5dd12422feee1c105ed415e4ffd5dd8e57c2d3f2b0b2a8
                    • Opcode Fuzzy Hash: d11452887fc2965b6748aeae321f2474a20c046708e31cc72cdbdd15c9b65ced
                    • Instruction Fuzzy Hash: E47116346149038FD75ADE18CFD2A6533E1F79873175C4228C68AE3664DA34B872EF85
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 890a22a68d4a941bd83c7c5f24d63a493fe2b3e7292292cce2e1739836a3068c
                    • Instruction ID: 48b5264c006bb483b9981d51b0bf44981673eab85f7c65105d141f67c37d0315
                    • Opcode Fuzzy Hash: 890a22a68d4a941bd83c7c5f24d63a493fe2b3e7292292cce2e1739836a3068c
                    • Instruction Fuzzy Hash: 6071C334614803CBD75ADA55CCD2A2533E2FB547367D88664CB8AC7674DAB0B872CF81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5886592c056aacc683b9c7b01ff32201e80fc9d72b6a02d1e7bc6a8db2cd00e6
                    • Instruction ID: 0cde8ecbb5ec73bac02aa5d90787e4497b28c6ade1fc427f62608737aa250a9c
                    • Opcode Fuzzy Hash: 5886592c056aacc683b9c7b01ff32201e80fc9d72b6a02d1e7bc6a8db2cd00e6
                    • Instruction Fuzzy Hash: AF71F734A958038FC759DE18CDD2A2533E1F7987357548624CB8AE3274DBB4B872CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.433140095.00007FF8164B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8164B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff8164b0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4cf3b60a9d149879c92b9eec43bf50dd19e6ded401856f3ed73b151da0523386
                    • Instruction ID: a26a2f6c6732780c639a815b69d49123b090602623059eee90b2a08f5d01988c
                    • Opcode Fuzzy Hash: 4cf3b60a9d149879c92b9eec43bf50dd19e6ded401856f3ed73b151da0523386
                    • Instruction Fuzzy Hash: 337104346149038BD759DE08CFD2A2533E2F79873175C4228CA8AE3664DB34B872EF85
                    Uniqueness

                    Uniqueness Score: -1.00%