File name:

setup.exe

Full analysis: https://app.any.run/tasks/ee6790e3-0dd1-406c-a768-36753825d6a2
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 26, 2024, 15:50:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
adware
neoreklami
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D5783572B939C378553F42ED9C4EA6C4

SHA1:

9F543AB7BA9C7024D94A5AAA2F07556DC2270BE7

SHA256:

3CDF495CF7D1EBA5D1BB55ECB72ED5C18D2FF1BEF0CED9569ED54F5BFA89B497

SSDEEP:

98304:/hUhnNybX3363SePjqlQ+sgFsCeD2WIQhWObsknp7RHY5WcGP0NVtRrV0Q9tVqNp:z1wnPY10CE5Kg4yH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Install.exe (PID: 884)
      • setup.exe (PID: 1140)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 3140)
      • powershell.exe (PID: 1912)
      • powershell.exe (PID: 5936)
      • powershell.exe (PID: 1244)
      • powershell.exe (PID: 204)

    • Uses WMIC.EXE to add exclusions to the Windows Defender

      • powershell.exe (PID: 3140)
      • powershell.exe (PID: 1244)

    • Uses Task Scheduler to run other applications

      • Install.exe (PID: 6324)
      • Install.exe (PID: 2252)

    • Actions looks like stealing of personal data

      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Uses Task Scheduler to autorun other applications

      • aQwmSpi.exe (PID: 4244)

    • Steals credentials from Web Browsers

      • aQwmSpi.exe (PID: 4244)

    • NEOREKLAMI has been detected (SURICATA)

      • svchost.exe (PID: 2284)

    • Modifies files in the Chrome extension folder

      • aQwmSpi.exe (PID: 4244)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • setup.exe (PID: 1140)
      • Install.exe (PID: 884)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Starts itself from another location

      • setup.exe (PID: 1140)

    • Found strings related to reading or modifying Windows Defender settings

      • Install.exe (PID: 6324)
      • forfiles.exe (PID: 4244)
      • forfiles.exe (PID: 892)
      • forfiles.exe (PID: 2824)
      • forfiles.exe (PID: 2996)
      • forfiles.exe (PID: 1272)
      • forfiles.exe (PID: 2984)
      • Install.exe (PID: 2252)
      • forfiles.exe (PID: 3168)
      • forfiles.exe (PID: 3848)
      • powershell.exe (PID: 6524)
      • powershell.exe (PID: 3608)
      • aQwmSpi.exe (PID: 4244)
      • forfiles.exe (PID: 1768)
      • forfiles.exe (PID: 4092)
      • forfiles.exe (PID: 2136)
      • forfiles.exe (PID: 3628)
      • forfiles.exe (PID: 5336)
      • forfiles.exe (PID: 4992)

    • Reads security settings of Internet Explorer

      • Install.exe (PID: 6324)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Reads the date of Windows installation

      • Install.exe (PID: 6324)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Drops 7-zip archiver for unpacking

      • setup.exe (PID: 1140)

    • Starts CMD.EXE for commands execution

      • forfiles.exe (PID: 4244)
      • Install.exe (PID: 6324)
      • forfiles.exe (PID: 892)
      • forfiles.exe (PID: 2824)
      • forfiles.exe (PID: 2996)
      • forfiles.exe (PID: 1432)
      • forfiles.exe (PID: 1272)
      • Install.exe (PID: 2252)
      • forfiles.exe (PID: 2984)
      • forfiles.exe (PID: 3848)
      • forfiles.exe (PID: 3168)
      • forfiles.exe (PID: 4992)
      • forfiles.exe (PID: 3056)
      • powershell.exe (PID: 6524)
      • powershell.exe (PID: 3608)
      • aQwmSpi.exe (PID: 4244)
      • forfiles.exe (PID: 2136)
      • forfiles.exe (PID: 4092)
      • forfiles.exe (PID: 1768)
      • forfiles.exe (PID: 3628)
      • forfiles.exe (PID: 2200)
      • forfiles.exe (PID: 5336)

    • Searches and executes a command on selected files

      • forfiles.exe (PID: 4244)
      • forfiles.exe (PID: 2824)
      • forfiles.exe (PID: 2996)
      • forfiles.exe (PID: 1432)
      • forfiles.exe (PID: 892)
      • forfiles.exe (PID: 1272)
      • forfiles.exe (PID: 2984)
      • forfiles.exe (PID: 3168)
      • forfiles.exe (PID: 3848)
      • forfiles.exe (PID: 4992)
      • forfiles.exe (PID: 1768)
      • forfiles.exe (PID: 2136)
      • forfiles.exe (PID: 4092)
      • forfiles.exe (PID: 3628)
      • forfiles.exe (PID: 2200)
      • forfiles.exe (PID: 5336)
      • forfiles.exe (PID: 3056)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5040)
      • cmd.exe (PID: 6364)
      • cmd.exe (PID: 5648)
      • cmd.exe (PID: 4808)
      • cmd.exe (PID: 4820)
      • cmd.exe (PID: 5624)
      • cmd.exe (PID: 6888)
      • cmd.exe (PID: 4988)
      • cmd.exe (PID: 4092)
      • powershell.exe (PID: 6524)
      • powershell.exe (PID: 3608)
      • cmd.exe (PID: 1080)
      • cmd.exe (PID: 3476)
      • cmd.exe (PID: 1248)
      • cmd.exe (PID: 5380)
      • cmd.exe (PID: 2668)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 5340)
      • cmd.exe (PID: 4772)
      • Install.exe (PID: 2252)
      • cmd.exe (PID: 5692)
      • cmd.exe (PID: 2984)

    • Powershell scripting: start process

      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 4772)
      • cmd.exe (PID: 5692)

    • Reads the BIOS version

      • Install.exe (PID: 6324)

    • The process executes via Task Scheduler

      • Install.exe (PID: 2252)
      • powershell.exe (PID: 1912)
      • aQwmSpi.exe (PID: 4244)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 3408)
      • schtasks.exe (PID: 4472)

    • Executes application which crashes

      • Install.exe (PID: 2252)

    • Access to an unwanted program domain was detected

      • svchost.exe (PID: 2284)

    • Checks Windows Trust Settings

      • aQwmSpi.exe (PID: 4244)

  • INFO

    • Checks supported languages

      • Install.exe (PID: 6324)
      • Install.exe (PID: 884)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)
      • setup.exe (PID: 1140)

    • Create files in a temporary directory

      • setup.exe (PID: 1140)
      • Install.exe (PID: 884)

    • Reads the computer name

      • Install.exe (PID: 6324)
      • Install.exe (PID: 2252)
      • aQwmSpi.exe (PID: 4244)

    • Process checks computer location settings

      • Install.exe (PID: 6324)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4276)
      • WMIC.exe (PID: 4496)

    • Reads the software policy settings

      • WerFault.exe (PID: 1772)
      • aQwmSpi.exe (PID: 4244)

    • Creates files in the program directory

      • aQwmSpi.exe (PID: 4244)

    • Creates files or folders in the user directory

      • aQwmSpi.exe (PID: 4244)

    • Reads the machine GUID from the registry

      • aQwmSpi.exe (PID: 4244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:18 16:27:35+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 104960
InitializedDataSize: 45056
UninitializedDataSize: -
EntryPoint: 0x14b04
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 9.20.0.0
ProductVersionNumber: 9.20.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7z Setup SFX
FileVersion: 9.2
InternalName: 7zS.sfx
LegalCopyright: Copyright (c) 1999-2010 Igor Pavlov
OriginalFileName: 7zS.sfx.exe
ProductName: 7-Zip
ProductVersion: 9.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
297
Monitored processes
151
Malicious processes
12
Suspicious processes
17

Behavior graph

Click at the process to see the details
start setup.exe install.exe install.exe no specs cmd.exe no specs conhost.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs forfiles.exe no specs conhost.exe no specs gpupdate.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs wmic.exe no specs schtasks.exe no specs conhost.exe no specs install.exe cmd.exe no specs conhost.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs gpupdate.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs gpupdate.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs aqwmspi.exe cmd.exe no specs conhost.exe no specs werfault.exe forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs gpupdate.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs wmic.exe no specs #NEOREKLAMI svchost.exe slui.exe no specs setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
204powershell start-process -WindowStyle Hidden gpupdate.exe /forceC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
756\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
884.\Install.exeC:\Users\admin\AppData\Local\Temp\7zS23CB.tmp\Install.exe
setup.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Setup SFX
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\7zs23cb.tmp\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
892forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" C:\Windows\SysWOW64\forfiles.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\forfiles.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exegpupdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044powershell start-process -WindowStyle Hidden gpupdate.exe /forceC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1080"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64C:\Windows\SysWOW64\reg.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
1080/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6C:\Windows\SysWOW64\cmd.exeforfiles.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1120reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
Total events
56 701
Read events
56 558
Write events
140
Delete events
3

Modification events

(PID) Process:(6324) Install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6324) Install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6324) Install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6324) Install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6324) Install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6860) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:writeName:2147735503
Value:
6
(PID) Process:(2692) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:writeName:2147814524
Value:
6
(PID) Process:(4752) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:writeName:2147780199
Value:
6
(PID) Process:(1120) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:writeName:2147812831
Value:
6
(PID) Process:(1044) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
4
Suspicious files
18
Text files
83
Unknown types
3

Dropped files

PID
Process
Filename
Type
204powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ibmwj3ai.ppf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1140setup.exeC:\Users\admin\AppData\Local\Temp\7zS23CB.tmp\Install.exeexecutable
MD5:E6684F9886E2DD3487B77B7D05D0E6D8
SHA256:B116145CF32CE32B50AC3AC6596D8368D2F6B09763297B65AA57FCE57183BC2E
884Install.exeC:\Users\admin\AppData\Local\Temp\7zS2756.tmp\Install.exeexecutable
MD5:5B02DB30F0B7C50AB96BB2AD8961FE73
SHA256:C3541E85A22C639F32AF232D3AD9E20CE37A3D4E98C353C235BF11E01CCBBF9D
1044powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D5BF2CDCD8501A037DD848FBEAC94F24
SHA256:50802F187D3BFF3832B28AFB2C3B131EC299AEEB95EF520497F422B8C6024958
1140setup.exeC:\Users\admin\AppData\Local\Temp\7zS23CB.tmp\__data__\config.txtbinary
MD5:0ED348BFADA6303B6B6F03526E2E283F
SHA256:09D68E3333EFF1E999CFE4B5B1E70A60B0B8E9FB698E8711E8DA63AD610AD45E
1044powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_leok55fz.5ch.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3140powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j5tmpxnl.zzl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
204powershell.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:46BC898D175ACF32853B59591E76AACF
SHA256:E5F588046119B6FABB21009D88B11D92609B48E9BA7505E709BD47B6A105BA1C
1772WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Install.exe_unkn_e3f89085876c6983e04bd3128a18f688352621_9fa569a1_6d46be35-6494-48f3-8c63-cf7f1195cd00\Report.wer
MD5:
SHA256:
3608powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_12ry1rxw.czq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
41
DNS requests
13
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
51.104.15.253:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
unknown
POST
200
20.189.173.17:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
svchost.exe
239.255.255.250:1900
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2.16.110.130:443
www.bing.com
Akamai International B.V.
DE
unknown
364
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6012
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3392
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 2.16.110.130
  • 2.16.110.131
  • 2.16.110.144
  • 2.16.110.193
  • 2.16.110.187
  • 2.16.110.200
  • 2.16.110.120
  • 2.16.110.192
  • 2.16.110.138
whitelisted
google.com
  • 142.250.185.206
whitelisted
self.events.data.microsoft.com
  • 20.189.173.10
whitelisted
watson.events.data.microsoft.com
  • 52.182.143.212
whitelisted
service-domain.xyz
  • 54.210.117.250
unknown
www.googleapis.com
  • 142.250.181.234
  • 142.250.184.234
  • 216.58.212.170
  • 142.250.185.170
  • 216.58.206.42
  • 216.58.212.138
  • 142.250.185.106
  • 172.217.16.202
  • 142.250.186.138
  • 142.250.186.42
  • 142.250.185.234
  • 142.250.186.74
  • 142.250.186.170
  • 172.217.18.106
  • 142.250.185.202
  • 142.250.185.74
whitelisted

Threats

PID
Process
Class
Message
2284
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DNS Query to Neoreklami (service-domain .xyz)
2284
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DNS Query to Neoreklami (service-domain .xyz)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.exe