IT01879020517_uGIim_xml#U00b7pdf.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
initial sample
|
 |
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
Entropy: |
7.591716388385503
|
Filename: |
IT01879020517_uGIim_xml#U00b7pdf.exe
|
Filesize: |
506088
|
MD5: |
a4ada4d174edbc7a29ab1989d365cb08
|
SHA1: |
a8a5785534b6a05c0fda182ecad4c324c5255b31
|
SHA256: |
054a14f915649b7812d6677bdc110a078570d23417c8fcd96dcf67f7546a4bba
|
SHA512: |
5a1b2fa6e8dfd1c9eb1c76767cdb0d588b658bb00d1c644d5995d7af1024d497bdfea1ee095d7a86ee80f90d6a0dbfb8f4e7216ef5b07ba4c3a118057d269896
|
SSDEEP: |
12288:R0Nwzz8LtOAbgfIEYD0qoLjfZTU2V2kkN/4zY9U3Bbv:fzzSOAbP50BLrJU2Vn2/UR7
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...|......H3............@
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Suspicious powershell command line found |
Data Obfuscation |
Access Token Manipulation
|
Contains functionality for read data from the clipboard |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Contains functionality to shutdown / reboot the system |
System Summary |
Access Token Manipulation
Security Software Discovery
|
Detected potential crypto function |
System Summary |
Access Token Manipulation
Security Software Discovery
|
Drops PE files |
Persistence and Installation Behavior |
Access Token Manipulation
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Stores files to the Windows start menu directory |
Boot Survival |
Security Software Discovery
|
Uses 32bit PE files |
Compliance, System Summary |
|
Contains functionality to adjust token privileges (e.g. debug / backup) |
System Summary |
Access Token Manipulation
|
Contains functionality to check free disk space |
System Summary |
Security Software Discovery
|
Contains functionality to enumerate / list files inside a directory |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
Security Software Discovery
|
Contains functionality to instantiate COM classes |
System Summary |
Access Token Manipulation
|
Contains functionality to query windows version |
Language, Device and Operating System Detection |
|
Creates files inside the user directory |
System Summary |
|
Creates temporary files |
System Summary |
Security Software Discovery
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
Security Software Discovery
|
PE file has an executable .text section and no other executable section |
System Summary |
Access Token Manipulation
|
Program exit points |
Malware Analysis System Evasion |
|
Reads ini files |
System Summary |
|
Reads software policies |
System Summary |
Access Token Manipulation
|
Sample is known by Antivirus |
System Summary |
Access Token Manipulation
|
Sample reads its own file content |
System Summary |
Access Token Manipulation
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
Access Token Manipulation
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
|
C:\ProgramData\remcos\logs.dat
|
data
|
modified
|
 |
|
|
File: |
C:\ProgramData\remcos\logs.dat
|
Category: |
modified
|
Dump: |
logs.dat.2.dr
|
ID: |
dr_18
|
Target ID: |
2
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
data
|
Entropy: |
6.687218230578942
|
Encrypted: |
false
|
Ssdeep: |
3:iynElHECWp1SajVsKl+/ZSCXnJL+Xvpw2k2uq0lE1E79ZqRdPeCKN:i+AOMmRwXJKBDeq0lE1E79ZEPeX
|
Size: |
144
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Sigma detected: Remcos |
Stealing of Sensitive Information |
|
|
C:\Users\user\AppData\Local\Temp\Loupen.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
dropped
|
 |
|
|
File: |
C:\Users\user\AppData\Local\Temp\Loupen.exe
|
Category: |
dropped
|
Dump: |
Loupen.exe.2.dr
|
ID: |
dr_15
|
Target ID: |
2
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
Entropy: |
7.591716388385503
|
Encrypted: |
false
|
Ssdeep: |
12288:R0Nwzz8LtOAbgfIEYD0qoLjfZTU2V2kkN/4zY9U3Bbv:fzzSOAbP50BLrJU2Vn2/UR7
|
Size: |
506088
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Powershell drops PE file |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Temp\Loupen.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
 |
|
|
File: |
C:\Users\user\AppData\Local\Temp\Loupen.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
Loupen.exe_Zone.Identifier.2.dr
|
ID: |
dr_14
|
Target ID: |
2
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
|
C:\Users\user\AppData\Local\Temp\nsa7ECD.tmp\BgImage.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Users\user\AppData\Local\Temp\nsa7ECD.tmp\BgImage.dll
|
Category: |
dropped
|
Dump: |
BgImage.dll.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.185955322889032
|
Encrypted: |
false
|
Ssdeep: |
96:8eZ0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqk4jnLiEQjJ3KxkP:tXBfjbUA/85q3wEh8uLmVLpmP
|
Size: |
7680
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\nsa7ECD.tmp\UserInfo.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Users\user\AppData\Local\Temp\nsa7ECD.tmp\UserInfo.dll
|
Category: |
dropped
|
Dump: |
UserInfo.dll.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
3.3299050324162005
|
Encrypted: |
false
|
Ssdeep: |
48:qKiRbhg7V46Br1wHsl9rECxZShMmj3tPRYBA:52OVZruHs1xH6t+i
|
Size: |
4096
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\nsa7ECD.tmp\nsDialogs.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
 |
|
|
File: |
C:\Users\user\AppData\Local\Temp\nsa7ECD.tmp\nsDialogs.dll
|
Category: |
dropped
|
Dump: |
nsDialogs.dll.0.dr
|
ID: |
dr_11
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.127987026925379
|
Encrypted: |
false
|
Ssdeep: |
96:o2DlD3cd51V1zL7xqEscxM2DjDf3GEst+Nt+jvcx4T8qndYv0PLE:o2p34z/x3sREskpx4dO0PLE
|
Size: |
9728
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Rockmusikkens.Und
|
ASCII text, with very long lines (65536), with no line terminators
|
dropped
|
 |
|
|
File: |
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Rockmusikkens.Und
|
Category: |
dropped
|
Dump: |
Rockmusikkens.Und.0.dr
|
ID: |
dr_3
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
ASCII text, with very long lines (65536), with no line terminators
|
Entropy: |
5.210364249702167
|
Encrypted: |
false
|
Ssdeep: |
1536:vVlZsgRlf+yg6MpK5nBpuppTyxiPStyrl/xxQnJ7fwxyfdt5Y:vSSffMpKwptyxi6tgDxSJDDfb5Y
|
Size: |
70909
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Sigma detected: Suspicious Script Execution From Temp Folder |
System Summary |
|
Suspicious powershell command line found |
Data Obfuscation |
|
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE |
System Summary |
|
Sigma detected: Non Interactive PowerShell Process Spawned |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\ProgramData\Microsoft\Network\Downloader\edb.log
|
data
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Network\Downloader\edb.log
|
Category: |
dropped
|
Dump: |
edb.log.16.dr
|
ID: |
dr_20
|
Target ID: |
16
|
Process: |
C:\Windows\System32\svchost.exe
|
Type: |
data
|
Entropy: |
0.8008208935670602
|
Encrypted: |
false
|
Ssdeep: |
1536:CJD1YBdWK7S50AhnZ0Ag0ALzJVEbJBJlPVPEH3cNkPfF7Njg9QaQfOgFrGXuE5T8:CJC5rk0X+MbJ72D4qgfiaDhvO7VMBfn
|
Size: |
1310720
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
|
Extensible storage engine DataBase, version 0x620, checksum 0xb598f686, page size 16384, DirtyShutdown, Windows version 10.0
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
|
Category: |
dropped
|
Dump: |
qmgr.db.16.dr
|
ID: |
dr_21
|
Target ID: |
16
|
Process: |
C:\Windows\System32\svchost.exe
|
Type: |
Extensible storage engine DataBase, version 0x620, checksum 0xb598f686, page size 16384, DirtyShutdown, Windows version 10.0
|
Entropy: |
0.7716005013467122
|
Encrypted: |
false
|
Ssdeep: |
1536:7SB2ESB2SSjlK/7vqlC06Z546I50AEzJ+Ykr3g16XWq2UPkLk+kFLKho38o38+W6:7aza9vqcHbrq2UyUVWlW
|
Size: |
1310720
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
|
data
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
|
Category: |
dropped
|
Dump: |
qmgr.jfm.16.dr
|
ID: |
dr_19
|
Target ID: |
16
|
Process: |
C:\Windows\System32\svchost.exe
|
Type: |
data
|
Entropy: |
0.081736692290686
|
Encrypted: |
false
|
Ssdeep: |
3:R1/EYew3kWr8qrrvr+gvrr/4X/illVmctlll/Sm1l1:R1/Ezf1gn/hLPPv
|
Size: |
16384
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_763cc06ddd191e0b2a3c26e6eec71deecc9f88_f469684b_67036ab9-a9a5-4c9a-8111-79a84e4dcabe\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_763cc06ddd191e0b2a3c26e6eec71deecc9f88_f469684b_67036ab9-a9a5-4c9a-8111-79a84e4dcabe\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.25.dr
|
ID: |
dr_28
|
Target ID: |
25
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
1.6325224812564314
|
Encrypted: |
false
|
Ssdeep: |
384:1oeXj/i5oaQH0BjwOhGAgRzuiFCY4IO8T:VXj6oaQ0BjwuIRzuiFCY4IO8
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_eeb76350ac29bb3b486937f9169f68096e924e2_f469684b_5f7c8348-3926-4c3f-a256-55d37fae53f0\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_eeb76350ac29bb3b486937f9169f68096e924e2_f469684b_5f7c8348-3926-4c3f-a256-55d37fae53f0\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.28.dr
|
ID: |
dr_32
|
Target ID: |
28
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
1.6329088595073513
|
Encrypted: |
false
|
Ssdeep: |
192:kAKCie/m5n0gXKeVPjavOy0LGAgJNZrHzuiFCZ24IO8T:jXj/m50wzVPjwOhGAgRzuiFCY4IO8T
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E5A.tmp.dmp
|
Mini DuMP crash report, 15 streams, Fri Jul 12 07:47:38 2024, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E5A.tmp.dmp
|
Category: |
dropped
|
Dump: |
WER7E5A.tmp.dmp.25.dr
|
ID: |
dr_25
|
Target ID: |
25
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 15 streams, Fri Jul 12 07:47:38 2024, 0x1205a4 type
|
Entropy: |
3.5824022655735392
|
Encrypted: |
false
|
Ssdeep: |
6144:rivpR8sMTfwMoYRN4EyKTg50/yafrKJt:r6ztabpTa0/yaf2
|
Size: |
567026
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8129.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8129.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WER8129.tmp.WERInternalMetadata.xml.25.dr
|
ID: |
dr_26
|
Target ID: |
25
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.7191258757953425
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJvWl6QZcKc62c6eYMDwhqWprj89bVP22sf0nnm:R6lXJC6dHuTYMDwh0V0f0m
|
Size: |
6366
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8169.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8169.tmp.xml
|
Category: |
dropped
|
Dump: |
WER8169.tmp.xml.25.dr
|
ID: |
dr_27
|
Target ID: |
25
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
4.462541071124005
|
Encrypted: |
false
|
Ssdeep: |
48:cvIwWl8zsMJg77aI9ZGWpW8VYwYm8M4JQULWF4J+q8RtfWX7+qd:uIjfKI73H7VgJQUtuJE7+qd
|
Size: |
4676
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6BD.tmp.dmp
|
Mini DuMP crash report, 15 streams, Fri Jul 12 07:47:56 2024, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6BD.tmp.dmp
|
Category: |
dropped
|
Dump: |
WERC6BD.tmp.dmp.28.dr
|
ID: |
dr_33
|
Target ID: |
28
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 15 streams, Fri Jul 12 07:47:56 2024, 0x1205a4 type
|
Entropy: |
3.6169297347371314
|
Encrypted: |
false
|
Ssdeep: |
6144:vvfjqy0rOwboYUN45yCTg50/yOfgKJtE+A:vgLcvClTa0/yOfJo+A
|
Size: |
554922
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8C2.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8C2.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WERC8C2.tmp.WERInternalMetadata.xml.28.dr
|
ID: |
dr_30
|
Target ID: |
28
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.7197998077272865
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJvc6Q+YMDESWpDP89btP22sf9Pm:R6lXJU6jYMDEAt0f4
|
Size: |
6352
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8E2.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8E2.tmp.xml
|
Category: |
dropped
|
Dump: |
WERC8E2.tmp.xml.28.dr
|
ID: |
dr_31
|
Target ID: |
28
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
4.4646403352143595
|
Encrypted: |
false
|
Ssdeep: |
48:cvIwWl8zsMJg77aI9ZGWpW8VY9Ym8M4JQULIF8+q8RHfWX7+qd:uIjfKI73H7VpJQUZu/E7+qd
|
Size: |
4676
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\json[1].json
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\json[1].json
|
Category: |
dropped
|
Dump: |
json[1].json.2.dr
|
ID: |
dr_17
|
Target ID: |
2
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
JSON data
|
Entropy: |
5.013130376969173
|
Encrypted: |
false
|
Ssdeep: |
12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
|
Size: |
962
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
Category: |
dropped
|
Dump: |
ModuleAnalysisCache.2.dr
|
ID: |
dr_16
|
Target ID: |
2
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
data
|
Entropy: |
4.840877972214509
|
Encrypted: |
false
|
Ssdeep: |
192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
|
Size: |
8003
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2ol2ewj.pcu.psm1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2ol2ewj.pcu.psm1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_f2ol2ewj.pcu.psm1.2.dr
|
ID: |
dr_13
|
Target ID: |
2
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xy2loq3c.gjs.ps1
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xy2loq3c.gjs.ps1
|
Category: |
dropped
|
Dump: |
__PSScriptPolicyTest_xy2loq3c.gjs.ps1.2.dr
|
ID: |
dr_12
|
Target ID: |
2
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.038920595031593
|
Encrypted: |
false
|
Ssdeep: |
3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
|
Size: |
60
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\bhv7B7B.tmp
|
Extensible storage engine DataBase, version 0x620, checksum 0xa18356d8, page size 32768, DirtyShutdown, Windows version 10.0
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\bhv7B7B.tmp
|
Category: |
dropped
|
Dump: |
bhv7B7B.tmp.19.dr
|
ID: |
dr_23
|
Target ID: |
19
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
Extensible storage engine DataBase, version 0x620, checksum 0xa18356d8, page size 32768, DirtyShutdown, Windows version 10.0
|
Entropy: |
0.10097759912084507
|
Encrypted: |
false
|
Ssdeep: |
1536:2SB2jpSB2jFSjlK/ww/ZweshzbOlqVqfesizb9zbVeszO/ZkDEes1:2a6amUueqmnNs6H
|
Size: |
15728640
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\rykxqmaxigubnclruofffpmjcklsta
|
Unicode text, UTF-16, little-endian text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\rykxqmaxigubnclruofffpmjcklsta
|
Category: |
dropped
|
Dump: |
rykxqmaxigubnclruofffpmjcklsta.19.dr
|
ID: |
dr_24
|
Target ID: |
19
|
Process: |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with no line terminators
|
Entropy: |
1.0
|
Encrypted: |
false
|
Ssdeep: |
3:Qn:Qn
|
Size: |
2
|
Whitelisted: |
true
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Sigma detected: Suspicious Script Execution From Temp Folder |
System Summary |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Farvebaandsomskifteren.txt
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Farvebaandsomskifteren.txt
|
Category: |
dropped
|
Dump: |
Farvebaandsomskifteren.txt.0.dr
|
ID: |
dr_4
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
4.2234890109691605
|
Encrypted: |
false
|
Ssdeep: |
12:+0XckbaSba1rqKAQkLz9raK/+LcV/xhbJpyI0blO0AB:+0Xo1uKszdBr63O0AB
|
Size: |
534
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\Montanes176.opt
|
Matlab v4 mat-file (little endian) \303, text, rows 1202847744, columns 285212672
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\Montanes176.opt
|
Category: |
dropped
|
Dump: |
Montanes176.opt.0.dr
|
ID: |
dr_5
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
Matlab v4 mat-file (little endian) \303, text, rows 1202847744, columns 285212672
|
Entropy: |
4.885233885830468
|
Encrypted: |
false
|
Ssdeep: |
192:2HzQVSF2rlzQAi0yaxJOSKirtx9tAZxlfIipJBn8beyJ:azHINdida/OSKiTZKaeS
|
Size: |
8301
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\Wafery.unt
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\Wafery.unt
|
Category: |
dropped
|
Dump: |
Wafery.unt.0.dr
|
ID: |
dr_6
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
data
|
Entropy: |
4.932370870003018
|
Encrypted: |
false
|
Ssdeep: |
192:rGdWIIKTANCxaHuSkkb4wvFtBNssUQkLF3U8yI:rG3T9xmuSfMMFtKLAI
|
Size: |
8943
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\barsel.pul
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\barsel.pul
|
Category: |
dropped
|
Dump: |
barsel.pul.0.dr
|
ID: |
dr_7
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
data
|
Entropy: |
4.999390717068071
|
Encrypted: |
false
|
Ssdeep: |
192:EnqPs0Cjvr66x+1NcgwOUa3QwKdzmchKyqL3Lgu97+Zi1:EUiv6O4Iza3QwKd1hKyNuZIg
|
Size: |
8052
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\migraines.sla
|
PGP symmetric key encrypted data - Plaintext or unencrypted data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\migraines.sla
|
Category: |
dropped
|
Dump: |
migraines.sla.0.dr
|
ID: |
dr_8
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
PGP symmetric key encrypted data - Plaintext or unencrypted data
|
Entropy: |
4.845686717565914
|
Encrypted: |
false
|
Ssdeep: |
48:bDDj3ynuK8QDfcfSyloplQAP17Jir69P6ZkxdD/Pzpul9Q:jDjK8QDin2pOAPheO6Zkx1/Pzpu4
|
Size: |
1700
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\tegnmssig.bra
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\tegnmssig.bra
|
Category: |
dropped
|
Dump: |
tegnmssig.bra.0.dr
|
ID: |
dr_9
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
data
|
Entropy: |
4.898830023764877
|
Encrypted: |
false
|
Ssdeep: |
192:IMgd/BOjz7u6eAYyskhEBLZfKBdm9TdtrZi0sMv/UFvDFqsP32:I/d/BGu7sW1ZfKBdm9Tdp3v0/G
|
Size: |
7701
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\tradionsbevarende.unp
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Mrkblondt\tradionsbevarende.unp
|
Category: |
dropped
|
Dump: |
tradionsbevarende.unp.0.dr
|
ID: |
dr_10
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
data
|
Entropy: |
4.945511037629728
|
Encrypted: |
false
|
Ssdeep: |
96:ajWqqlfSwTfxv442jXEcdFEykwxlyjOQcw2:aqVlfSwjxt7cdSiexcp
|
Size: |
4507
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Neuraxial.Aca
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\kilns\Unobtainably\Iatrochemically\Neuraxial.Aca
|
Category: |
dropped
|
Dump: |
Neuraxial.Aca.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\IT01879020517_uGIim_xml#U00b7pdf.exe
|
Type: |
data
|
Entropy: |
7.5893504937613026
|
Encrypted: |
false
|
Ssdeep: |
6144:RwImD2UaFvK7VVf6s8B+/uKteWfzf6mr7nUHf9ZXnQ+3LPd1A:xY27Ts8bKtpfWmfU/3QUdi
|
Size: |
353544
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
|
Category: |
dropped
|
Dump: |
Download-1.tmp.16.dr
|
ID: |
dr_22
|
Target ID: |
16
|
Process: |
C:\Windows\System32\svchost.exe
|
Type: |
JSON data
|
Entropy: |
4.306461250274409
|
Encrypted: |
false
|
Ssdeep: |
3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
|
Size: |
55
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates files inside the system directory |
System Summary |
|
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
|
|
|
File: |
C:\Windows\appcompat\Programs\Amcache.hve
|
Category: |
dropped
|
Dump: |
Amcache.hve.25.dr
|
ID: |
dr_29
|
Target ID: |
25
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
MS Windows registry file, NT/2000 or above
|
Entropy: |
4.298702219739341
|
Encrypted: |
false
|
Ssdeep: |
6144:oECqOEmWfd+WQFpy/9026ZTyaRsCDusBqD5dooi8lFSD6VJSR1d:NCyL6seqD5SESWVAR7
|
Size: |
1835008
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|