Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Snort IDS alert for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Yara detected malicious lnk
Bypasses PowerShell execution policy
Drops PE files to the user root directory
Found URL in windows shortcut file (LNK)
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)