e2kLb2J2Y7.exe
|
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.996988460807273
|
Filename: |
e2kLb2J2Y7.exe
|
Filesize: |
604672
|
MD5: |
506761d4ae9aa7134c001c7f0b7b4827
|
SHA1: |
45b12d344817ca14e1f630da7f624b2093e7728d
|
SHA256: |
36216f13d2670aadc24589c4810c4ef62e9370a4e3cf05f8015b1beb5e0c4a63
|
SHA512: |
6989bed145db2b4397a3f6b76a5be58b102270ed94ac42c7914cfe17c916bd6779b8575f6a0e39d7f8a18343dcd5579f5f72a759b873c453e85d6314dd217d63
|
SSDEEP: |
12288:I2kEUbOlK2wyuxkVT0qIGk7TeO7Ii2amedllsEqUbBm+wsSqRhxMuTw1gk:I2QLyVwRGkf7Ii8eLuzekcGuTc
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..2...............
.....@..... ....................................@...@......@............... .....
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
.NET source code contains potential unpacker |
Data Obfuscation |
|
.NET source code contains very large array initializations |
System Summary |
|
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
|
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) |
Lowering of HIPS / PFW / Operating System Security Settings |
Windows Management Instrumentation
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
|
Creates COM task schedule object (often to register a task for autostart) |
Spreading |
|
Detected potential crypto function |
System Summary |
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
|
Enables debug privileges |
Anti Debugging |
|
PE file does not import any functions |
System Summary |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Binary contains a suspicious time stamp |
Data Obfuscation |
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) |
Malware Analysis System Evasion |
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
Sample reads its own file content |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Reads software policies |
System Summary |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
|
Creates files inside the user directory |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
.NET source code contains functionality to register a task |
System Summary |
|
Creates guard pages, often used to prevent reverse usering and debugging |
Anti Debugging |
|
.NET source code contains many API calls related to security |
System Summary |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file has a high image base, often used for DLLs |
System Summary |
|
PE file contains a COM descriptor data directory |
System Summary |
|
Uses Microsoft Silverlight |
System Summary |
|
|
C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe
|
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe
|
Category: |
dropped
|
Dump: |
Key.exe.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\e2kLb2J2Y7.exe
|
Type: |
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.996988460807273
|
Encrypted: |
true
|
Ssdeep: |
12288:I2kEUbOlK2wyuxkVT0qIGk7TeO7Ii2amedllsEqUbBm+wsSqRhxMuTw1gk:I2QLyVwRGkf7Ii8eLuzekcGuTc
|
Size: |
604672
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for dropped file |
AV Detection |
|
Modifies the context of a thread in another process (thread injection) |
HIPS / PFW / Operating System Protection Evasion |
|
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Writes to foreign memory regions |
HIPS / PFW / Operating System Protection Evasion |
|
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) |
Lowering of HIPS / PFW / Operating System Security Settings |
Security Software Discovery
Windows Management Instrumentation
|
Contains functionality to call native functions |
System Summary |
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates COM task schedule object (often to register a task for autostart) |
Spreading |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Windows Management Instrumentation
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\xddtyli.exe
|
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\xddtyli.exe
|
Category: |
dropped
|
Dump: |
xddtyli.exe.5.dr
|
ID: |
dr_9
|
Target ID: |
5
|
Process: |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
|
Type: |
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.9964210206256245
|
Encrypted: |
true
|
Ssdeep: |
12288:ixJqKylzOVQ09CcFUPutSMB/ICQieOeTIjDJo6lQxp+GfRPmuE2W98Go:ixJyeR9zSKICQpZ0plQL+QmunW
|
Size: |
643072
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates COM task schedule object (often to register a task for autostart) |
Spreading |
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe
|
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe
|
Category: |
dropped
|
Dump: |
zhtyxulkfny.exe.14.dr
|
ID: |
dr_21
|
Target ID: |
14
|
Process: |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
|
Type: |
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.996988460807273
|
Encrypted: |
true
|
Ssdeep: |
12288:I2kEUbOlK2wyuxkVT0qIGk7TeO7Ii2amedllsEqUbBm+wsSqRhxMuTw1gk:I2QLyVwRGkf7Ii8eLuzekcGuTc
|
Size: |
604672
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) |
Lowering of HIPS / PFW / Operating System Security Settings |
Security Software Discovery
Windows Management Instrumentation
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Windows Management Instrumentation
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe
|
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe
|
Category: |
dropped
|
Dump: |
Values.exe.9.dr
|
ID: |
dr_14
|
Target ID: |
9
|
Process: |
C:\Users\user\AppData\Local\Temp\xddtyli.exe
|
Type: |
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.9964210206256245
|
Encrypted: |
true
|
Ssdeep: |
12288:ixJqKylzOVQ09CcFUPutSMB/ICQieOeTIjDJo6lQxp+GfRPmuE2W98Go:ixJyeR9zSKICQpZ0plQL+QmunW
|
Size: |
643072
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for dropped file |
AV Detection |
|
Modifies the context of a thread in another process (thread injection) |
HIPS / PFW / Operating System Protection Evasion |
|
Writes to foreign memory regions |
HIPS / PFW / Operating System Protection Evasion |
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates COM task schedule object (often to register a task for autostart) |
Spreading |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
Key.exe_Zone.Identifier.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\e2kLb2J2Y7.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
Machine Learning detection for dropped file |
AV Detection |
|
Modifies the context of a thread in another process (thread injection) |
HIPS / PFW / Operating System Protection Evasion |
|
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Writes to foreign memory regions |
HIPS / PFW / Operating System Protection Evasion |
|
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) |
Lowering of HIPS / PFW / Operating System Security Settings |
Security Software Discovery
Windows Management Instrumentation
|
Contains functionality to call native functions |
System Summary |
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates COM task schedule object (often to register a task for autostart) |
Spreading |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Enables debug privileges |
Anti Debugging |
|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Windows Management Instrumentation
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Key.exe.log
|
CSV text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Key.exe.log
|
Category: |
dropped
|
Dump: |
Key.exe.log.4.dr
|
ID: |
dr_8
|
Target ID: |
4
|
Process: |
C:\Users\user\AppData\Local\IsInvalid\koeogrk\Key.exe
|
Type: |
CSV text
|
Entropy: |
5.356471432431617
|
Encrypted: |
false
|
Ssdeep: |
24:ML9E4KQwKDE4KGKZI6KhRAE4KKUNCsXE4Npv:MxHKQwYHKGSI6oRAHKKkhHNpv
|
Size: |
838
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Values.exe.log
|
CSV text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Values.exe.log
|
Category: |
dropped
|
Dump: |
Values.exe.log.12.dr
|
ID: |
dr_20
|
Target ID: |
12
|
Process: |
C:\Users\user\AppData\Roaming\RevisionNumber\Values.exe
|
Type: |
CSV text
|
Entropy: |
5.361636180307982
|
Encrypted: |
false
|
Ssdeep: |
12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6KhayoDLI4MWuPCU6yVFO5iv:ML9E4KQwKDE4KGKZI6KhRAE4KKUNb
|
Size: |
621
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e2kLb2J2Y7.exe.log
|
CSV text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e2kLb2J2Y7.exe.log
|
Category: |
dropped
|
Dump: |
e2kLb2J2Y7.exe.log.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\e2kLb2J2Y7.exe
|
Type: |
CSV text
|
Entropy: |
5.356471432431617
|
Encrypted: |
false
|
Ssdeep: |
24:ML9E4KQwKDE4KGKZI6KhRAE4KKUNCsXE4Npv:MxHKQwYHKGSI6oRAHKKkhHNpv
|
Size: |
838
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Binary contains a suspicious time stamp |
Data Obfuscation |
|
PE file does not import any functions |
System Summary |
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Parts of this applications are using the .NET runtime (Probably coded in C#) |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file contains a COM descriptor data directory |
System Summary |
|
PE file has a high image base, often used for DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xddtyli.exe.log
|
CSV text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xddtyli.exe.log
|
Category: |
dropped
|
Dump: |
xddtyli.exe.log.9.dr
|
ID: |
dr_15
|
Target ID: |
9
|
Process: |
C:\Users\user\AppData\Local\Temp\xddtyli.exe
|
Type: |
CSV text
|
Entropy: |
5.361636180307982
|
Encrypted: |
false
|
Ssdeep: |
12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6KhayoDLI4MWuPCU6yVFO5iv:ML9E4KQwKDE4KGKZI6KhRAE4KKUNb
|
Size: |
621
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\zhtyxulkfny.exe.log
|
CSV text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\zhtyxulkfny.exe.log
|
Category: |
dropped
|
Dump: |
zhtyxulkfny.exe.log.17.dr
|
ID: |
dr_22
|
Target ID: |
17
|
Process: |
C:\Users\user\AppData\Local\Temp\zhtyxulkfny.exe
|
Type: |
CSV text
|
Entropy: |
5.356471432431617
|
Encrypted: |
false
|
Ssdeep: |
24:ML9E4KQwKDE4KGKZI6KhRAE4KKUNCsXE4Npv:MxHKQwYHKGSI6oRAHKKkhHNpv
|
Size: |
838
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
Category: |
modified
|
Dump: |
StartupProfileData-NonInteractive.2.dr
|
ID: |
dr_5
|
Target ID: |
2
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
data
|
Entropy: |
0.34726597513537405
|
Encrypted: |
false
|
Ssdeep: |
3:Nlll:Nll
|
Size: |
64
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_142zoxi1.oib.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_142zoxi1.oib.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_142zoxi1.oib.ps1.2.dr
|
ID: |
dr_6
|
Target ID: |
2
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates temporary files |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cvdoh0g.iaz.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cvdoh0g.iaz.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_3cvdoh0g.iaz.ps1.6.dr
|
ID: |
dr_12
|
Target ID: |
6
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4nvtqfku.ri2.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4nvtqfku.ri2.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_4nvtqfku.ri2.ps1.10.dr
|
ID: |
dr_16
|
Target ID: |
10
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fwyl4it1.mvo.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fwyl4it1.mvo.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_fwyl4it1.mvo.psm1.2.dr
|
ID: |
dr_4
|
Target ID: |
2
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhtdv54i.3nm.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhtdv54i.3nm.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_lhtdv54i.3nm.psm1.2.dr
|
ID: |
dr_7
|
Target ID: |
2
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnvtic2h.ien.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnvtic2h.ien.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_pnvtic2h.ien.psm1.10.dr
|
ID: |
dr_19
|
Target ID: |
10
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwhf1zdc.h5s.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwhf1zdc.h5s.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_pwhf1zdc.h5s.psm1.6.dr
|
ID: |
dr_13
|
Target ID: |
6
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rmh0k21e.rgz.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rmh0k21e.rgz.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_rmh0k21e.rgz.ps1.2.dr
|
ID: |
dr_3
|
Target ID: |
2
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_slbckglv.hdn.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_slbckglv.hdn.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_slbckglv.hdn.ps1.6.dr
|
ID: |
dr_10
|
Target ID: |
6
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_solqoxdo.avw.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_solqoxdo.avw.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_solqoxdo.avw.psm1.6.dr
|
ID: |
dr_11
|
Target ID: |
6
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnpdzbff.jpy.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnpdzbff.jpy.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_tnpdzbff.jpy.psm1.10.dr
|
ID: |
dr_17
|
Target ID: |
10
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3zy0y5e.cma.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3zy0y5e.cma.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_y3zy0y5e.cma.ps1.10.dr
|
ID: |
dr_18
|
Target ID: |
10
|
Process: |
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|