File name:

setup.exe

Full analysis: https://app.any.run/tasks/ee6790e3-0dd1-406c-a768-36753825d6a2
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 26, 2024, 15:50:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
adware
neoreklami
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D5783572B939C378553F42ED9C4EA6C4

SHA1:

9F543AB7BA9C7024D94A5AAA2F07556DC2270BE7

SHA256:

3CDF495CF7D1EBA5D1BB55ECB72ED5C18D2FF1BEF0CED9569ED54F5BFA89B497

SSDEEP:

98304:/hUhnNybX3363SePjqlQ+sgFsCeD2WIQhWObsknp7RHY5WcGP0NVtRrV0Q9tVqNp:z1wnPY10CE5Kg4yH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • setup.exe (PID: 1140)
      • Install.exe (PID: 884)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 3140)
      • powershell.exe (PID: 204)
      • powershell.exe (PID: 1912)
      • powershell.exe (PID: 5936)
      • powershell.exe (PID: 1244)

    • Uses WMIC.EXE to add exclusions to the Windows Defender

      • powershell.exe (PID: 3140)
      • powershell.exe (PID: 1244)

    • Uses Task Scheduler to run other applications

      • Install.exe (PID: 6324)
      • Install.exe (PID: 2252)

    • Actions looks like stealing of personal data

      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Uses Task Scheduler to autorun other applications

      • aQwmSpi.exe (PID: 4244)

    • Modifies files in the Chrome extension folder

      • aQwmSpi.exe (PID: 4244)

    • NEOREKLAMI has been detected (SURICATA)

      • svchost.exe (PID: 2284)

    • Steals credentials from Web Browsers

      • aQwmSpi.exe (PID: 4244)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • setup.exe (PID: 1140)

    • Starts itself from another location

      • setup.exe (PID: 1140)

    • Searches and executes a command on selected files

      • forfiles.exe (PID: 892)
      • forfiles.exe (PID: 2824)
      • forfiles.exe (PID: 4244)
      • forfiles.exe (PID: 2996)
      • forfiles.exe (PID: 1432)
      • forfiles.exe (PID: 1272)
      • forfiles.exe (PID: 2984)
      • forfiles.exe (PID: 3168)
      • forfiles.exe (PID: 3848)
      • forfiles.exe (PID: 4992)
      • forfiles.exe (PID: 3056)
      • forfiles.exe (PID: 1768)
      • forfiles.exe (PID: 2136)
      • forfiles.exe (PID: 4092)
      • forfiles.exe (PID: 3628)
      • forfiles.exe (PID: 5336)
      • forfiles.exe (PID: 2200)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5040)
      • cmd.exe (PID: 4808)
      • cmd.exe (PID: 5648)
      • cmd.exe (PID: 6364)
      • cmd.exe (PID: 4820)
      • cmd.exe (PID: 5624)
      • cmd.exe (PID: 2668)
      • cmd.exe (PID: 4988)
      • powershell.exe (PID: 6524)
      • cmd.exe (PID: 6888)
      • powershell.exe (PID: 3608)
      • cmd.exe (PID: 4092)
      • cmd.exe (PID: 3476)
      • cmd.exe (PID: 1080)
      • cmd.exe (PID: 5380)
      • cmd.exe (PID: 1248)

    • Found strings related to reading or modifying Windows Defender settings

      • forfiles.exe (PID: 892)
      • Install.exe (PID: 6324)
      • forfiles.exe (PID: 4244)
      • forfiles.exe (PID: 2996)
      • forfiles.exe (PID: 1272)
      • forfiles.exe (PID: 2824)
      • forfiles.exe (PID: 3168)
      • Install.exe (PID: 2252)
      • forfiles.exe (PID: 2984)
      • forfiles.exe (PID: 3848)
      • forfiles.exe (PID: 4992)
      • powershell.exe (PID: 3608)
      • powershell.exe (PID: 6524)
      • forfiles.exe (PID: 1768)
      • aQwmSpi.exe (PID: 4244)
      • forfiles.exe (PID: 4092)
      • forfiles.exe (PID: 2136)
      • forfiles.exe (PID: 5336)
      • forfiles.exe (PID: 3628)

    • Starts CMD.EXE for commands execution

      • forfiles.exe (PID: 892)
      • Install.exe (PID: 6324)
      • forfiles.exe (PID: 4244)
      • forfiles.exe (PID: 2996)
      • forfiles.exe (PID: 1432)
      • forfiles.exe (PID: 1272)
      • forfiles.exe (PID: 2824)
      • Install.exe (PID: 2252)
      • forfiles.exe (PID: 2984)
      • forfiles.exe (PID: 3168)
      • forfiles.exe (PID: 4992)
      • forfiles.exe (PID: 3056)
      • powershell.exe (PID: 6524)
      • powershell.exe (PID: 3608)
      • forfiles.exe (PID: 3848)
      • aQwmSpi.exe (PID: 4244)
      • forfiles.exe (PID: 1768)
      • forfiles.exe (PID: 4092)
      • forfiles.exe (PID: 2136)
      • forfiles.exe (PID: 2200)
      • forfiles.exe (PID: 5336)
      • forfiles.exe (PID: 3628)

    • Reads security settings of Internet Explorer

      • Install.exe (PID: 6324)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Executable content was dropped or overwritten

      • setup.exe (PID: 1140)
      • Install.exe (PID: 884)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Reads the date of Windows installation

      • Install.exe (PID: 6324)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Powershell scripting: start process

      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 4772)
      • cmd.exe (PID: 5692)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 5340)
      • cmd.exe (PID: 4772)
      • Install.exe (PID: 2252)
      • cmd.exe (PID: 2984)
      • cmd.exe (PID: 5692)

    • Reads the BIOS version

      • Install.exe (PID: 6324)

    • The process executes via Task Scheduler

      • Install.exe (PID: 2252)
      • powershell.exe (PID: 1912)
      • aQwmSpi.exe (PID: 4244)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 3408)
      • schtasks.exe (PID: 4472)

    • Executes application which crashes

      • Install.exe (PID: 2252)

    • Access to an unwanted program domain was detected

      • svchost.exe (PID: 2284)

    • Checks Windows Trust Settings

      • aQwmSpi.exe (PID: 4244)

  • INFO

    • Checks supported languages

      • setup.exe (PID: 1140)
      • Install.exe (PID: 884)
      • Install.exe (PID: 6324)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Create files in a temporary directory

      • setup.exe (PID: 1140)
      • Install.exe (PID: 884)

    • Reads the computer name

      • Install.exe (PID: 6324)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Process checks computer location settings

      • Install.exe (PID: 6324)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4276)
      • WMIC.exe (PID: 4496)

    • Creates files in the program directory

      • aQwmSpi.exe (PID: 4244)

    • Reads the software policy settings

      • WerFault.exe (PID: 1772)
      • aQwmSpi.exe (PID: 4244)

    • Reads the machine GUID from the registry

      • aQwmSpi.exe (PID: 4244)

    • Creates files or folders in the user directory

      • aQwmSpi.exe (PID: 4244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:18 16:27:35+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 104960
InitializedDataSize: 45056
UninitializedDataSize: -
EntryPoint: 0x14b04
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 9.20.0.0
ProductVersionNumber: 9.20.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7z Setup SFX
FileVersion: 9.2
InternalName: 7zS.sfx
LegalCopyright: Copyright (c) 1999-2010 Igor Pavlov
OriginalFileName: 7zS.sfx.exe
ProductName: 7-Zip
ProductVersion: 9.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
297
Monitored processes
151
Malicious processes
12
Suspicious processes
17

Behavior graph

Click at the process to see the details
start setup.exe install.exe install.exe no specs cmd.exe no specs conhost.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs forfiles.exe no specs conhost.exe no specs gpupdate.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs wmic.exe no specs schtasks.exe no specs conhost.exe no specs install.exe cmd.exe no specs conhost.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs gpupdate.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs gpupdate.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs aqwmspi.exe cmd.exe no specs conhost.exe no specs werfault.exe forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs gpupdate.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs wmic.exe no specs #NEOREKLAMI svchost.exe slui.exe no specs setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
204powershell start-process -WindowStyle Hidden gpupdate.exe /forceC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
756\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
884.\Install.exeC:\Users\admin\AppData\Local\Temp\7zS23CB.tmp\Install.exe
setup.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Setup SFX
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\7zs23cb.tmp\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
892forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" C:\Windows\SysWOW64\forfiles.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\forfiles.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exegpupdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044powershell start-process -WindowStyle Hidden gpupdate.exe /forceC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1080"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64C:\Windows\SysWOW64\reg.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
1080/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6C:\Windows\SysWOW64\cmd.exeforfiles.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1120reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
Total events
56 701
Read events
56 558
Write events
140
Delete events
3

Modification events

(PID) Process:(6324) Install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6324) Install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6324) Install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6324) Install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6324) Install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6860) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:writeName:2147735503
Value:
6
(PID) Process:(2692) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:writeName:2147814524
Value:
6
(PID) Process:(4752) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:writeName:2147780199
Value:
6
(PID) Process:(1120) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:writeName:2147812831
Value:
6
(PID) Process:(1044) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
4
Suspicious files
18
Text files
83
Unknown types
3

Dropped files

PID
Process
Filename
Type
3608powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_12ry1rxw.czq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3140powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j5tmpxnl.zzl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
204powershell.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:46BC898D175ACF32853B59591E76AACF
SHA256:E5F588046119B6FABB21009D88B11D92609B48E9BA7505E709BD47B6A105BA1C
6524powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_1bybz4zt.ehl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3608powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_juxko1fo.5yg.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2252Install.exeC:\Windows\System32\GroupPolicy\Machine\Registry.polbinary
MD5:F0B3572402FF3FE88C538242D242245A
SHA256:ADC9D6D942A8610A9C78C01953BA6D8E1012A11495D1635A09A9F808E907D175
1912powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0hiwb0dj.4fo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1912powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zo4loywc.dx2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1772WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Install.exe_unkn_e3f89085876c6983e04bd3128a18f688352621_9fa569a1_6d46be35-6494-48f3-8c63-cf7f1195cd00\Report.wer
MD5:
SHA256:
2252Install.exeC:\Windows\System32\GroupPolicy\gpt.initext
MD5:A62CE44A33F1C05FC2D340EA0CA118A4
SHA256:9F2CD4ACF23D565BC8498C989FCCCCF59FD207EF8925111DC63E78649735404A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
41
DNS requests
13
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.189.173.17:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
POST
200
51.104.15.253:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
svchost.exe
239.255.255.250:1900
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2.16.110.130:443
www.bing.com
Akamai International B.V.
DE
unknown
364
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6012
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3392
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 2.16.110.130
  • 2.16.110.131
  • 2.16.110.144
  • 2.16.110.193
  • 2.16.110.187
  • 2.16.110.200
  • 2.16.110.120
  • 2.16.110.192
  • 2.16.110.138
whitelisted
google.com
  • 142.250.185.206
whitelisted
self.events.data.microsoft.com
  • 20.189.173.10
whitelisted
watson.events.data.microsoft.com
  • 52.182.143.212
whitelisted
service-domain.xyz
  • 54.210.117.250
unknown
www.googleapis.com
  • 142.250.181.234
  • 142.250.184.234
  • 216.58.212.170
  • 142.250.185.170
  • 216.58.206.42
  • 216.58.212.138
  • 142.250.185.106
  • 172.217.16.202
  • 142.250.186.138
  • 142.250.186.42
  • 142.250.185.234
  • 142.250.186.74
  • 142.250.186.170
  • 172.217.18.106
  • 142.250.185.202
  • 142.250.185.74
whitelisted

Threats

PID
Process
Class
Message
2284
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DNS Query to Neoreklami (service-domain .xyz)
2284
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DNS Query to Neoreklami (service-domain .xyz)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.exe