Malware analysis 4249959b292b1ff31e325395430cd1f438e432fa578d219bdb78983a30019873 Malicious activity

Add for printing

File name:	4249959b292b1ff31e325395430cd1f438e432fa578d219bdb78983a30019873
Full analysis:	https://app.any.run/tasks/b7fcb26b-0a45-4fcd-b8dd-2d734cbe4503
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 18, 2025, 16:42:11
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	xor-url generic stealer neoreklami adware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	5B4A87E9F95C2CA15D19E3954CEEF911
SHA1:	141C10E661A37224D064C8B33DEC326C126AFB7D
SHA256:	4249959B292B1FF31E325395430CD1F438E432FA578D219BDB78983A30019873
SSDEEP:	98304:/hUhnNN1pl+KZ5kWxuaC25MajwONRw1L4E+MXL/QWW+D4VxQnehv4z6s+g6Y9ibc:SUyX4ivVa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Run PowerShell with an invisible window
  - powershell.exe (PID: 7236)
  - powershell.exe (PID: 616)
- Uses Task Scheduler to run other applications
  - Install.exe (PID: 7488)
  - StLlhdh.exe (PID: 8068)
- Neoreklami has been detected
  - StLlhdh.exe (PID: 8068)
- XORed URL has been found (YARA)
  - Install.exe (PID: 7488)
- Actions looks like stealing of personal data
  - StLlhdh.exe (PID: 8068)
- Steals credentials from Web Browsers
  - StLlhdh.exe (PID: 8068)
- NEOREKLAMI mutex has been found
  - StLlhdh.exe (PID: 8068)
SUSPICIOUS
- Drops 7-zip archiver for unpacking
  - 4249959b292b1ff31e325395430cd1f438e432fa578d219bdb78983a30019873.exe (PID: 7456)
- Starts itself from another location
  - 4249959b292b1ff31e325395430cd1f438e432fa578d219bdb78983a30019873.exe (PID: 7456)
- Executable content was dropped or overwritten
  - 4249959b292b1ff31e325395430cd1f438e432fa578d219bdb78983a30019873.exe (PID: 7456)
  - Install.exe (PID: 7472)
  - Install.exe (PID: 7488)
- The process executes via Task Scheduler
  - powershell.exe (PID: 7236)
  - StLlhdh.exe (PID: 8068)
  - powershell.exe (PID: 616)
- There is functionality for taking screenshot (YARA)
  - Install.exe (PID: 7488)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 8032)
- Starts POWERSHELL.EXE for commands execution
  - StLlhdh.exe (PID: 8068)
- Found strings related to reading or modifying Windows Defender settings
  - powershell.exe (PID: 5048)
  - powershell.exe (PID: 7304)
- Starts CMD.EXE for commands execution
  - powershell.exe (PID: 5048)
  - powershell.exe (PID: 7304)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 5596)
  - powershell.exe (PID: 5048)
  - powershell.exe (PID: 7304)
  - cmd.exe (PID: 7936)
INFO
- The sample compiled with english language support
  - 4249959b292b1ff31e325395430cd1f438e432fa578d219bdb78983a30019873.exe (PID: 7456)
  - Install.exe (PID: 7472)
  - Install.exe (PID: 7488)
- Checks supported languages
  - 4249959b292b1ff31e325395430cd1f438e432fa578d219bdb78983a30019873.exe (PID: 7456)
  - Install.exe (PID: 7472)
  - StLlhdh.exe (PID: 8068)
- Create files in a temporary directory
  - Install.exe (PID: 7472)
  - 4249959b292b1ff31e325395430cd1f438e432fa578d219bdb78983a30019873.exe (PID: 7456)
  - Install.exe (PID: 7488)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

xor-url

(PID) Process(7488) Install.exe

Decrypted-URLs (25)http://133455789.xyz/clrls/cl_rls.json

http://133455789.xyz/updates/yd/yt_wrtzr_1/win/update_e.jpg

http://133455789.xyz/updates/yd/yt_wrtzr_1/win/version.txt

http://api.check-data.xyz

http://api2.check-data.xyz

http://api3.check-data.xyz

http://api4.check-data.xyz

http://api5.check-data.xyz

http://files.testupdate.info/updates/yd/yt_wrtzr_1/win/update_e.jpg

http://files.testupdate.info/updates/yd/yt_wrtzr_1/win/version.txt

http://files.tracemonitors.com/clrls/cl_rls.json

http://www.testupdate.info/clrls/cl_rls.json

http://www.testupdate.info/updates/yd/yt_wrtzr_1/win/update_e.jpg

http://www.testupdate.info/updates/yd/yt_wrtzr_1/win/version.txt

https://service-domain.xyz/google_ifi_ico.pngK

https://www.google.com/?h=42f6od641m7cwdq4el5np41md1zngfir9863.02nfw3obl

https://www.google.com/?h=42f6od641m7cwdq4el5np41md1zngfir9863.02nfw3oblW

https://www.google.com/?h=52x06k33mh5cdi7ed0pyobzborkaow6nxksq.5d15mfc0i

https://www.google.com/?h=57v8o0bomjptylml3stlufhrtjok90i8cgk2.grcrqbl12

https://www.google.com/?h=79vmgsepolbxkkgb4q95owcfdofsv8n35z4g.9alc7lfez

https://www.google.com/?h=a9huhoae9cyul7ade2xyh141mlhmk2b7l61u.iqmwvkjoo

https://www.google.com/?h=d64jvm5m3dh42bay5bh13b7wztm2uxtkf97t.xo1ycsl95

https://www.google.com/?h=k6x4xmnlu8392w2adnkyb7deuabkwq4tenfa.63sjo8coy

https://www.google.com/?h=md8vgx0vjeebrt7ncv.3510wvesh25r9mbx8d

https://www.google.com/?h=rfzvfq865ecxdgbj5jgsict7xyxg4p5dncnr.nu8kvsjdl

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2010:11:18 16:27:35+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	104960
InitializedDataSize:	45056
UninitializedDataSize:	-
EntryPoint:	0x14b04
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	9.20.0.0
ProductVersionNumber:	9.20.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Igor Pavlov
FileDescription:	7z Setup SFX
FileVersion:	9.2
InternalName:	7zS.sfx
LegalCopyright:	Copyright (c) 1999-2010 Igor Pavlov
OriginalFileName:	7zS.sfx.exe
ProductName:	7-Zip
ProductVersion:	9.2

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

222

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

536

"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

—

powershell.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

616

"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.EXE" -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

720

"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

—

powershell.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

1108

"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

—

powershell.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

1180

"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

—

powershell.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

1240

"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

—

powershell.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

1660

"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

—

powershell.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

1764

"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

—

powershell.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

2284

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

schtasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2344

"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\admin\AppData\Local\Temp\vlUyoAGBlTpCNcUwg /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

—

powershell.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

17 226

Read events

17 178

Write events

Delete events

Modification events


(PID) Process:	(3008) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:	write	Name:	242872
Value: 6
(PID) Process:	(5400) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:	write	Name:	2147749373
Value: 6
(PID) Process:	(4464) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:	write	Name:	2147807942
Value: 6
(PID) Process:	(1240) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:	write	Name:	2147807942
Value: 6
(PID) Process:	(5380) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:	write	Name:	2147735735
Value: 6
(PID) Process:	(720) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:	write	Name:	2147735735
Value: 6
(PID) Process:	(3676) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:	write	Name:	2147737503
Value: 6
(PID) Process:	(536) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:	write	Name:	2147735503
Value: 6
(PID) Process:	(6744) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:	write	Name:	2147737394
Value: 6
(PID) Process:	(6640) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Operation:	write	Name:	225451
Value: 6

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7304	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_xxxtrl2r.hsz.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5048	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_kudpj44z.20o.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7236	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fzym24px.w1k.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7864	schtasks.exe	C:\Windows\Tasks\bKqHprlnPVfMWGijSV.job		binary
		MD5:E1AD0451E4831E910BCDA9A35314DE8F	SHA256:2B24AEDA4D1A419DF4321378103E26C6BB943DA98EC0DC07B4650A9C1623A7C6
5048	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_1f1ewenc.vkh.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5048	powershell.exe	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:46B4EA22425FD53264F205DF8DA60740	SHA256:ED98A21923B8895F2205460D05BBD6278D6BD3C897067A2EBE4A0AB3C8A41233
8068	StLlhdh.exe	C:\Windows\System32\GroupPolicy\Machine\Registry.pol		binary
		MD5:822635CE45E3A426E8FD42DB4455F805	SHA256:5D7376FF0E285C25891FBBEBEC0417EE5BADE764A2342C708931CD36A6B405BC
7488	Install.exe	C:\Users\admin\AppData\Local\Temp\vlUyoAGBlTpCNcUwg\DZEyqqOLDIxIoTm\StLlhdh.exe		executable
		MD5:37064F03FDFF0C5B2C559F364973652E	SHA256:8505628B32FCBD87B5E151E93FA3E7BE8D0EA11040A6FF501E7B0C4069032F0B
7304	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_pwh42w2v.kyc.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7236	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_p4gikroh.feq.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
8136	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
8136	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
—	—	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.4:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
google.com	142.250.186.174	whitelisted
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	20.190.160.4 20.190.160.64 20.190.160.2 20.190.160.5 40.126.32.140 20.190.160.65 40.126.32.74 20.190.160.14	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

4249959b292b1ff31e325395430cd1f438e432fa578d219bdb78983a30019873

5B4A87E9F95C2CA15D19E3954CEEF911

141C10E661A37224D064C8B33DEC326C126AFB7D

4249959B292B1FF31E325395430CD1F438E432FA578D219BDB78983A30019873

98304:/hUhnNN1pl+KZ5kWxuaC25MajwONRw1L4E+MXL/QWW+D4VxQnehv4z6s+g6Y9ibc:SUyX4ivVa

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Uses Task Scheduler to run other applications

Neoreklami has been detected

XORed URL has been found (YARA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

NEOREKLAMI mutex has been found

SUSPICIOUS

Drops 7-zip archiver for unpacking

Starts itself from another location

Executable content was dropped or overwritten

The process executes via Task Scheduler

There is functionality for taking screenshot (YARA)

Deletes scheduled task without confirmation

Starts POWERSHELL.EXE for commands execution

Found strings related to reading or modifying Windows Defender settings

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

INFO

The sample compiled with english language support

Checks supported languages

Create files in a temporary directory

Malware configuration

xor-url

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings