tehtris_offline_forensic_2.6.0.0.exe
|
PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
|
Entropy: |
7.998291471388156
|
Filename: |
tehtris_offline_forensic_2.6.0.0.exe
|
Filesize: |
15502144
|
MD5: |
b24e639470b5cc0a46baa9fec06504af
|
SHA1: |
9eed36e3dc36693372baeef8538d3024e75b8d79
|
SHA256: |
1448e64b1323ae0ee97bcd7d712f8cb3a501c7fa06fb486f15da3601f1fa0a09
|
SHA512: |
a64578152ecdaf9039ca99253e7108cb4fa7c12173467185dcddd5dc1053d7d75d26a476202a9c1e4fd655c90fd9e88861db3cfa2b1952039936615b29e20e71
|
SSDEEP: |
393216:nRNR3iYOSiUq075W+4nHOdvQRjlTKKvYqFHj7ybKxg:nrdDObodvQRjhLYQPyGxg
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................./...............................@..................................o........
............................
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Found pyInstaller with non standard icon |
Persistence and Installation Behavior |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Uses 32bit PE files |
Compliance, System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Enumerates the file system |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
|
Reads software policies |
System Summary |
|
Sample reads its own file content |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
Uses new MSVCR Dlls |
Compliance, System Summary |
|
|
C:\Users\user\AppData\Local\Temp\09isgp
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\09isgp
|
Category: |
dropped
|
Dump: |
09isgp.3.dr
|
ID: |
dr_97
|
Target ID: |
3
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
2.0
|
Encrypted: |
false
|
Size: |
4
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\Crypto.Cipher._AES.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\Crypto.Cipher._AES.pyd
|
Category: |
dropped
|
Dump: |
Crypto.Cipher._AES.pyd.0.dr
|
ID: |
dr_19
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.038342557344039
|
Encrypted: |
false
|
Size: |
29184
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\Include\pyconfig.h
|
C source, ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\Include\pyconfig.h
|
Category: |
dropped
|
Dump: |
pyconfig.h.0.dr
|
ID: |
dr_96
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
C source, ASCII text
|
Entropy: |
5.345136937906198
|
Encrypted: |
false
|
Size: |
21321
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\Microsoft.VC90.CRT.manifest
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\Microsoft.VC90.CRT.manifest
|
Category: |
dropped
|
Dump: |
Microsoft.VC90.CRT.manifest.0.dr
|
ID: |
dr_20
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
5.375616908722781
|
Encrypted: |
false
|
Size: |
1050
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\Microsoft.VC90.MFC.manifest
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\Microsoft.VC90.MFC.manifest
|
Category: |
dropped
|
Dump: |
Microsoft.VC90.MFC.manifest.0.dr
|
ID: |
dr_21
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
5.3684366346449774
|
Encrypted: |
false
|
Size: |
1139
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imaging.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imaging.pyd
|
Category: |
dropped
|
Dump: |
PIL._imaging.pyd.0.dr
|
ID: |
dr_22
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.675206706090499
|
Encrypted: |
false
|
Size: |
936960
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imagingtk.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imagingtk.pyd
|
Category: |
dropped
|
Dump: |
PIL._imagingtk.pyd.0.dr
|
ID: |
dr_23
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.3093734784850035
|
Encrypted: |
false
|
Size: |
9216
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._webp.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._webp.pyd
|
Category: |
dropped
|
Dump: |
PIL._webp.pyd.0.dr
|
ID: |
dr_24
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.736483891304412
|
Encrypted: |
false
|
Size: |
349184
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\_bsddb.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\_bsddb.pyd
|
Category: |
dropped
|
Dump: |
_bsddb.pyd.0.dr
|
ID: |
dr_25
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.769727775082088
|
Encrypted: |
false
|
Size: |
1107968
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\_cffi_backend.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\_cffi_backend.pyd
|
Category: |
dropped
|
Dump: |
_cffi_backend.pyd.0.dr
|
ID: |
dr_26
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.5618571058390796
|
Encrypted: |
false
|
Size: |
119808
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd
|
Category: |
dropped
|
Dump: |
_ctypes.pyd.0.dr
|
ID: |
dr_27
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.497795473929825
|
Encrypted: |
false
|
Size: |
93184
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pyd
|
Category: |
dropped
|
Dump: |
_hashlib.pyd.0.dr
|
ID: |
dr_28
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.841096025901925
|
Encrypted: |
false
|
Size: |
1014784
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pyd
|
Category: |
dropped
|
Dump: |
_socket.pyd.0.dr
|
ID: |
dr_9
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.550794854150774
|
Encrypted: |
false
|
Size: |
48128
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\_sqlite3.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\_sqlite3.pyd
|
Category: |
dropped
|
Dump: |
_sqlite3.pyd.0.dr
|
ID: |
dr_10
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.4946641123978575
|
Encrypted: |
false
|
Size: |
51712
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\_ssl.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\_ssl.pyd
|
Category: |
dropped
|
Dump: |
_ssl.pyd.0.dr
|
ID: |
dr_11
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.844168786190902
|
Encrypted: |
false
|
Size: |
1405952
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\_testcapi.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\_testcapi.pyd
|
Category: |
dropped
|
Dump: |
_testcapi.pyd.0.dr
|
ID: |
dr_12
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.524339001483802
|
Encrypted: |
false
|
Size: |
42496
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\_win32sysloader.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\_win32sysloader.pyd
|
Category: |
dropped
|
Dump: |
_win32sysloader.pyd.0.dr
|
ID: |
dr_13
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.061610175097613
|
Encrypted: |
false
|
Size: |
7168
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\bz2.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\bz2.pyd
|
Category: |
dropped
|
Dump: |
bz2.pyd.0.dr
|
ID: |
dr_14
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.752427751594252
|
Encrypted: |
false
|
Size: |
72704
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\DESCRIPTION.rst
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\DESCRIPTION.rst
|
Category: |
dropped
|
Dump: |
DESCRIPTION.rst.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
ASCII text
|
Entropy: |
4.818015898522134
|
Encrypted: |
false
|
Size: |
2180
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\INSTALLER
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\INSTALLER
|
Category: |
dropped
|
Dump: |
INSTALLER.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
ASCII text
|
Entropy: |
1.5
|
Encrypted: |
false
|
Size: |
4
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\METADATA
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\METADATA
|
Category: |
dropped
|
Dump: |
METADATA.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
5.087313118307497
|
Encrypted: |
false
|
Size: |
4714
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\RECORD
|
CSV text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\RECORD
|
Category: |
dropped
|
Dump: |
RECORD.0.dr
|
ID: |
dr_3
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
CSV text
|
Entropy: |
5.59286242988929
|
Encrypted: |
false
|
Size: |
11621
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\WHEEL
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\WHEEL
|
Category: |
dropped
|
Dump: |
WHEEL.0.dr
|
ID: |
dr_4
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
5.037696671172031
|
Encrypted: |
false
|
Size: |
102
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\entry_points.txt
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\entry_points.txt
|
Category: |
dropped
|
Dump: |
entry_points.txt.0.dr
|
ID: |
dr_5
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
ASCII text
|
Entropy: |
4.421562083645507
|
Encrypted: |
false
|
Size: |
80
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\metadata.json
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\metadata.json
|
Category: |
dropped
|
Dump: |
metadata.json.0.dr
|
ID: |
dr_6
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
JSON data
|
Entropy: |
5.048485649819386
|
Encrypted: |
false
|
Size: |
2233
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\top_level.txt
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\top_level.txt
|
Category: |
dropped
|
Dump: |
top_level.txt.0.dr
|
ID: |
dr_7
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
ASCII text
|
Entropy: |
4.039547553742005
|
Encrypted: |
false
|
Size: |
46
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._constant_time.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._constant_time.pyd
|
Category: |
dropped
|
Dump: |
cryptography.hazmat.bindings._constant_time.pyd.0.dr
|
ID: |
dr_15
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.21489975199494
|
Encrypted: |
false
|
Size: |
7168
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._openssl.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._openssl.pyd
|
Category: |
dropped
|
Dump: |
cryptography.hazmat.bindings._openssl.pyd.0.dr
|
ID: |
dr_16
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.801194860825362
|
Encrypted: |
false
|
Size: |
1828864
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\embedded\yara\tehtris_enc.yar
|
Award BIOS Logo, 136 x 126
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\embedded\yara\tehtris_enc.yar
|
Category: |
dropped
|
Dump: |
tehtris_enc.yar.0.dr
|
ID: |
dr_8
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
Award BIOS Logo, 136 x 126
|
Entropy: |
7.963714028792397
|
Encrypted: |
false
|
Size: |
6021
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.advanced.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.advanced.pyd
|
Category: |
dropped
|
Dump: |
eof.advanced.pyd.0.dr
|
ID: |
dr_17
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.421209039784287
|
Encrypted: |
false
|
Size: |
112128
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.autostarts.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.autostarts.pyd
|
Category: |
dropped
|
Dump: |
eof.autostarts.pyd.0.dr
|
ID: |
dr_18
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.031592270925895
|
Encrypted: |
false
|
Size: |
28160
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.browsers_scan.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.browsers_scan.pyd
|
Category: |
dropped
|
Dump: |
eof.browsers_scan.browsers_scan.pyd.0.dr
|
ID: |
dr_29
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.235311188900963
|
Encrypted: |
false
|
Size: |
72192
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.chrome.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.chrome.pyd
|
Category: |
dropped
|
Dump: |
eof.browsers_scan.chrome.pyd.0.dr
|
ID: |
dr_30
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.393962397625901
|
Encrypted: |
false
|
Size: |
111616
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.firefox.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.firefox.pyd
|
Category: |
dropped
|
Dump: |
eof.browsers_scan.firefox.pyd.0.dr
|
ID: |
dr_31
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.4305010940571705
|
Encrypted: |
false
|
Size: |
188416
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.ie.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.ie.pyd
|
Category: |
dropped
|
Dump: |
eof.browsers_scan.ie.pyd.0.dr
|
ID: |
dr_32
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.403565031396433
|
Encrypted: |
false
|
Size: |
104448
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.misc.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.misc.pyd
|
Category: |
dropped
|
Dump: |
eof.browsers_scan.misc.pyd.0.dr
|
ID: |
dr_33
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.4559297217011435
|
Encrypted: |
false
|
Size: |
148480
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.opera.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.opera.pyd
|
Category: |
dropped
|
Dump: |
eof.browsers_scan.opera.pyd.0.dr
|
ID: |
dr_34
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.385367048777922
|
Encrypted: |
false
|
Size: |
127488
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.optimizejars.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.optimizejars.pyd
|
Category: |
dropped
|
Dump: |
eof.browsers_scan.optimizejars.pyd.0.dr
|
ID: |
dr_35
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.430005118693343
|
Encrypted: |
false
|
Size: |
99328
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.regkey.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.regkey.pyd
|
Category: |
dropped
|
Dump: |
eof.browsers_scan.regkey.pyd.0.dr
|
ID: |
dr_36
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.388477119744748
|
Encrypted: |
false
|
Size: |
64512
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.config.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.config.pyd
|
Category: |
dropped
|
Dump: |
eof.config.pyd.0.dr
|
ID: |
dr_37
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.050080731883013
|
Encrypted: |
false
|
Size: |
37376
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.disk.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.disk.pyd
|
Category: |
dropped
|
Dump: |
eof.disk.pyd.0.dr
|
ID: |
dr_38
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.41518889933716
|
Encrypted: |
false
|
Size: |
121344
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.eof.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.eof.pyd
|
Category: |
dropped
|
Dump: |
eof.eof.pyd.0.dr
|
ID: |
dr_39
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.402938516007533
|
Encrypted: |
false
|
Size: |
147968
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic.pyd
|
Category: |
dropped
|
Dump: |
eof.forensic.pyd.0.dr
|
ID: |
dr_40
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.306665638065492
|
Encrypted: |
false
|
Size: |
37888
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.amcache.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.amcache.pyd
|
Category: |
dropped
|
Dump: |
eof.forensic_scripts.amcache.pyd.0.dr
|
ID: |
dr_41
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.406165667882317
|
Encrypted: |
false
|
Size: |
128000
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.app_compat_cache.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.app_compat_cache.pyd
|
Category: |
dropped
|
Dump: |
eof.forensic_scripts.app_compat_cache.pyd.0.dr
|
ID: |
dr_42
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.4623646493196025
|
Encrypted: |
false
|
Size: |
147968
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.prefetch.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.prefetch.pyd
|
Category: |
dropped
|
Dump: |
eof.forensic_scripts.prefetch.pyd.0.dr
|
ID: |
dr_43
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.339986881655648
|
Encrypted: |
false
|
Size: |
73728
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.recent_file_cache.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.recent_file_cache.pyd
|
Category: |
dropped
|
Dump: |
eof.forensic_scripts.recent_file_cache.pyd.0.dr
|
ID: |
dr_44
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.284345532475225
|
Encrypted: |
false
|
Size: |
32768
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry.pyd
|
Category: |
dropped
|
Dump: |
eof.forensic_scripts.registry.pyd.0.dr
|
ID: |
dr_45
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.251448661506351
|
Encrypted: |
false
|
Size: |
45568
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_file.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_file.pyd
|
Category: |
dropped
|
Dump: |
eof.forensic_scripts.registry_file.pyd.0.dr
|
ID: |
dr_46
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.543989582605182
|
Encrypted: |
false
|
Size: |
444928
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_live.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_live.pyd
|
Category: |
dropped
|
Dump: |
eof.forensic_scripts.registry_live.pyd.0.dr
|
ID: |
dr_47
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.328854722149623
|
Encrypted: |
false
|
Size: |
43008
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_tracks.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_tracks.pyd
|
Category: |
dropped
|
Dump: |
eof.forensic_scripts.registry_tracks.pyd.0.dr
|
ID: |
dr_48
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.370671966450294
|
Encrypted: |
false
|
Size: |
81408
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.volume_shadow_copy.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.volume_shadow_copy.pyd
|
Category: |
dropped
|
Dump: |
eof.forensic_scripts.volume_shadow_copy.pyd.0.dr
|
ID: |
dr_49
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.274525012072884
|
Encrypted: |
false
|
Size: |
35840
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Address.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Address.pyd
|
Category: |
dropped
|
Dump: |
eof.memorpy.Address.pyd.0.dr
|
ID: |
dr_50
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.328065824250149
|
Encrypted: |
false
|
Size: |
62976
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.BaseProcess.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.BaseProcess.pyd
|
Category: |
dropped
|
Dump: |
eof.memorpy.BaseProcess.pyd.0.dr
|
ID: |
dr_51
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.375886554189573
|
Encrypted: |
false
|
Size: |
46080
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Locator.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Locator.pyd
|
Category: |
dropped
|
Dump: |
eof.memorpy.Locator.pyd.0.dr
|
ID: |
dr_52
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.322866798850283
|
Encrypted: |
false
|
Size: |
48128
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.MemWorker.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.MemWorker.pyd
|
Category: |
dropped
|
Dump: |
eof.memorpy.MemWorker.pyd.0.dr
|
ID: |
dr_53
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.466899722209181
|
Encrypted: |
false
|
Size: |
104960
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Process.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Process.pyd
|
Category: |
dropped
|
Dump: |
eof.memorpy.Process.pyd.0.dr
|
ID: |
dr_54
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.848127179924235
|
Encrypted: |
false
|
Size: |
14336
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinProcess.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinProcess.pyd
|
Category: |
dropped
|
Dump: |
eof.memorpy.WinProcess.pyd.0.dr
|
ID: |
dr_55
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.490350461623646
|
Encrypted: |
false
|
Size: |
148992
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinStructures.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinStructures.pyd
|
Category: |
dropped
|
Dump: |
eof.memorpy.WinStructures.pyd.0.dr
|
ID: |
dr_56
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.213521072820622
|
Encrypted: |
false
|
Size: |
61952
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.structures.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.structures.pyd
|
Category: |
dropped
|
Dump: |
eof.memorpy.structures.pyd.0.dr
|
ID: |
dr_57
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.95774592017594
|
Encrypted: |
false
|
Size: |
13312
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.utils.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.utils.pyd
|
Category: |
dropped
|
Dump: |
eof.memorpy.utils.pyd.0.dr
|
ID: |
dr_58
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.370824695484224
|
Encrypted: |
false
|
Size: |
49152
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memscan.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memscan.pyd
|
Category: |
dropped
|
Dump: |
eof.memscan.pyd.0.dr
|
ID: |
dr_59
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.3736066953123505
|
Encrypted: |
false
|
Size: |
70144
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.process.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.process.pyd
|
Category: |
dropped
|
Dump: |
eof.process.pyd.0.dr
|
ID: |
dr_60
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.436158035823645
|
Encrypted: |
false
|
Size: |
187392
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.psutil_xp.psutil._psutil_windows.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.psutil_xp.psutil._psutil_windows.pyd
|
Category: |
dropped
|
Dump: |
eof.psutil_xp.psutil._psutil_windows.pyd.0.dr
|
ID: |
dr_61
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.314321948614945
|
Encrypted: |
false
|
Size: |
39936
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.tools.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.tools.pyd
|
Category: |
dropped
|
Dump: |
eof.tools.pyd.0.dr
|
ID: |
dr_62
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.460531976986463
|
Encrypted: |
false
|
Size: |
159744
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.autostarts.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.autostarts.pyd
|
Category: |
dropped
|
Dump: |
eof.windows_scripts.autostarts.pyd.0.dr
|
ID: |
dr_63
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.4395796952023865
|
Encrypted: |
false
|
Size: |
350720
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.hosts.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.hosts.pyd
|
Category: |
dropped
|
Dump: |
eof.windows_scripts.hosts.pyd.0.dr
|
ID: |
dr_64
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.149938496707501
|
Encrypted: |
false
|
Size: |
26112
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.installed_softwares.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.installed_softwares.pyd
|
Category: |
dropped
|
Dump: |
eof.windows_scripts.installed_softwares.pyd.0.dr
|
ID: |
dr_65
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.280261100917009
|
Encrypted: |
false
|
Size: |
58368
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.security_products_state.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.security_products_state.pyd
|
Category: |
dropped
|
Dump: |
eof.windows_scripts.security_products_state.pyd.0.dr
|
ID: |
dr_66
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.3092934476179
|
Encrypted: |
false
|
Size: |
56320
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.signatures.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.signatures.pyd
|
Category: |
dropped
|
Dump: |
eof.windows_scripts.signatures.pyd.0.dr
|
ID: |
dr_67
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.541571332139685
|
Encrypted: |
false
|
Size: |
522240
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.yarapy.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\eof.yarapy.pyd
|
Category: |
dropped
|
Dump: |
eof.yarapy.pyd.0.dr
|
ID: |
dr_68
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.443168419699998
|
Encrypted: |
false
|
Size: |
119808
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90.dll
|
Category: |
dropped
|
Dump: |
mfc90.dll.0.dr
|
ID: |
dr_69
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
7.012770356754067
|
Encrypted: |
false
|
Size: |
3757568
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90u.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90u.dll
|
Category: |
dropped
|
Dump: |
mfc90u.dll.0.dr
|
ID: |
dr_70
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
7.009508208409266
|
Encrypted: |
false
|
Size: |
3772928
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90.dll
|
PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90.dll
|
Category: |
dropped
|
Dump: |
mfcm90.dll.0.dr
|
ID: |
dr_71
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.0508544123612555
|
Encrypted: |
false
|
Size: |
59904
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90u.dll
|
PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90u.dll
|
Category: |
dropped
|
Dump: |
mfcm90u.dll.0.dr
|
ID: |
dr_72
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.048344728135143
|
Encrypted: |
false
|
Size: |
59904
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\msvcm90.dll
|
PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\msvcm90.dll
|
Category: |
dropped
|
Dump: |
msvcm90.dll.0.dr
|
ID: |
dr_73
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.034678554881571
|
Encrypted: |
false
|
Size: |
225280
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\msvcp90.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\msvcp90.dll
|
Category: |
dropped
|
Dump: |
msvcp90.dll.0.dr
|
ID: |
dr_74
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.521606850426073
|
Encrypted: |
false
|
Size: |
569680
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\msvcr90.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\msvcr90.dll
|
Category: |
dropped
|
Dump: |
msvcr90.dll.0.dr
|
ID: |
dr_75
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.883619619946885
|
Encrypted: |
false
|
Size: |
653136
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\psutil._psutil_windows.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\psutil._psutil_windows.pyd
|
Category: |
dropped
|
Dump: |
psutil._psutil_windows.pyd.0.dr
|
ID: |
dr_76
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.356637922773023
|
Encrypted: |
false
|
Size: |
47616
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\pyexpat.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\pyexpat.pyd
|
Category: |
dropped
|
Dump: |
pyexpat.pyd.0.dr
|
ID: |
dr_77
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.612873761652003
|
Encrypted: |
false
|
Size: |
138240
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\python27.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\python27.dll
|
Category: |
dropped
|
Dump: |
python27.dll.0.dr
|
ID: |
dr_78
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.7224146477246824
|
Encrypted: |
false
|
Size: |
2631680
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\pythoncom27.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\pythoncom27.dll
|
Category: |
dropped
|
Dump: |
pythoncom27.dll.0.dr
|
ID: |
dr_79
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.645630182293659
|
Encrypted: |
false
|
Size: |
395776
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\pywintypes27.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\pywintypes27.dll
|
Category: |
dropped
|
Dump: |
pywintypes27.dll.0.dr
|
ID: |
dr_80
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.581545891211645
|
Encrypted: |
false
|
Size: |
109056
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\select.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\select.pyd
|
Category: |
dropped
|
Dump: |
select.pyd.0.dr
|
ID: |
dr_81
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.995803092493926
|
Encrypted: |
false
|
Size: |
11776
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\sqlite3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\sqlite3.dll
|
Category: |
dropped
|
Dump: |
sqlite3.dll.0.dr
|
ID: |
dr_82
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.7716707465479296
|
Encrypted: |
false
|
Size: |
552960
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\tehtris_offline_forensic.exe.manifest
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\tehtris_offline_forensic.exe.manifest
|
Category: |
dropped
|
Dump: |
tehtris_offline_forensic.exe.manifest.0.dr
|
ID: |
dr_83
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
5.2677010672417275
|
Encrypted: |
false
|
Size: |
1603
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\unicodedata.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\unicodedata.pyd
|
Category: |
dropped
|
Dump: |
unicodedata.pyd.0.dr
|
ID: |
dr_84
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.43571815419785
|
Encrypted: |
false
|
Size: |
688640
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\win32api.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\win32api.pyd
|
Category: |
dropped
|
Dump: |
win32api.pyd.0.dr
|
ID: |
dr_85
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.5766707412687975
|
Encrypted: |
false
|
Size: |
99328
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\win32com.shell.shell.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\win32com.shell.shell.pyd
|
Category: |
dropped
|
Dump: |
win32com.shell.shell.pyd.0.dr
|
ID: |
dr_86
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.5675400080246416
|
Encrypted: |
false
|
Size: |
360448
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\win32console.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\win32console.pyd
|
Category: |
dropped
|
Dump: |
win32console.pyd.0.dr
|
ID: |
dr_87
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.318278473401064
|
Encrypted: |
false
|
Size: |
44544
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\win32evtlog.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\win32evtlog.pyd
|
Category: |
dropped
|
Dump: |
win32evtlog.pyd.0.dr
|
ID: |
dr_88
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.45651820282447
|
Encrypted: |
false
|
Size: |
48640
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\win32file.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\win32file.pyd
|
Category: |
dropped
|
Dump: |
win32file.pyd.0.dr
|
ID: |
dr_89
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.623329768965339
|
Encrypted: |
false
|
Size: |
118784
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\win32gui.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\win32gui.pyd
|
Category: |
dropped
|
Dump: |
win32gui.pyd.0.dr
|
ID: |
dr_90
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.58733338676621
|
Encrypted: |
false
|
Size: |
166912
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\win32pipe.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\win32pipe.pyd
|
Category: |
dropped
|
Dump: |
win32pipe.pyd.0.dr
|
ID: |
dr_91
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.187314720225589
|
Encrypted: |
false
|
Size: |
23040
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\win32process.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\win32process.pyd
|
Category: |
dropped
|
Dump: |
win32process.pyd.0.dr
|
ID: |
dr_92
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.382798861959788
|
Encrypted: |
false
|
Size: |
35840
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\win32security.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\win32security.pyd
|
Category: |
dropped
|
Dump: |
win32security.pyd.0.dr
|
ID: |
dr_93
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.535853767796153
|
Encrypted: |
false
|
Size: |
107520
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\win32trace.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\win32trace.pyd
|
Category: |
dropped
|
Dump: |
win32trace.pyd.0.dr
|
ID: |
dr_94
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.772736762466878
|
Encrypted: |
false
|
Size: |
14848
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\_MEI70442\win32ui.pyd
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\_MEI70442\win32ui.pyd
|
Category: |
dropped
|
Dump: |
win32ui.pyd.0.dr
|
ID: |
dr_95
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.3748021173150855
|
Encrypted: |
false
|
Size: |
778240
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\tmpo8tal6\gen_py\__init__.py
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmpo8tal6\gen_py\__init__.py
|
Category: |
dropped
|
Dump: |
__init__.py.3.dr
|
ID: |
dr_98
|
Target ID: |
3
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
4.713840781302666
|
Encrypted: |
false
|
Size: |
176
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\tmpo8tal6\gen_py\dicts.dat
|
ASCII text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\tmpo8tal6\gen_py\dicts.dat
|
Category: |
dropped
|
Dump: |
dicts.dat.3.dr
|
ID: |
dr_99
|
Target ID: |
3
|
Process: |
C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
|
Type: |
ASCII text
|
Entropy: |
2.721928094887362
|
Encrypted: |
false
|
Size: |
10
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|