31.0.0 Emerald
IR
363869
CloudBasic
14:26:26
05/03/2021
Mixed Items.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
017e52146c9131dbc9487d834cdfc247
6dff831a7fd2a42ec3abe4c1ba51f3a9c9c6a25b
26c230cde9fb7544f7e3762f1abac39f6c8f0d2db0689178b223e0e68d2a6a0a
Win32 Executable (generic) Net Framework (10011505/4) 49.98%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Network\Downloader\edb.log
false
8FBEB3EE575D3BBA44369DDECCA49083
8091ECF8CBF1A04AAEE7BF5C231C7605D8F8DAC0
95D82888783EA084631ADCFBB236A44236D02A8088F04376AD017E9872EBC967
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
false
7369A0D21D0345333864DF57AC91E792
4735E40732F7147A9FC47F59338F29FD2812F0B3
217612B92D702BCF7D388AAAFE46F93481793216F8A9428A02CBDBE4540C4DC5
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
false
476D0CB871276EDB31AF5710A70C8768
EFD8C0036892FC78E9C9E6B2852CCE084C415544
56A70A0A16A503D1624A38ACF08AF8A7654E9999A3611A3173A48B61BD280324
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
61A03D15CF62612F50B74867090DBE79
15228F34067B4B107E917BEBAF17CC7C3C1280A8
F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
2355411028ACE02098EA05A848FF008B
2EDE017C6C12FD81FFFF0D987603C38FF0BF634D
E16245600378AE119A841A1136ECBE5ECD6E5960AA1D9322DEAD68CD7EE199D4
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mixed Items.exe.log
true
4DC448082AFF363E7DB48FE0F4564674
BA956788D8EABC88D02119AC4B36EB16D26A2CA5
0B882DACEECB3378A361B929BFF23F06DDAF5BEEF047B4BA87E8494C86899870
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
B0CEEA53B3467F59FD8E87F80213BDE9
D9E6D1CBB480E7248658DF935648DFA733745602
D9C93CB64E6F1F5BDC94581CEEA99F759EE1E35716EAF623C61962EA0152F9DD
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
false
08E0E756C0E25CF2F85281AF60D4D8D6
D6F1BB1FF8A041151322580BA5D2A4ACE28C9A1F
767B4A3EF2DE563C663F2A0ACBA6F3D25070D9FC2CE9D8415261A523B5CFC77B
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
false
607110AB5B12714EDF520B297790FF69
1697CF656BF8DC0F7E6EFAC73306943C97FA289E
4E1270D6142DCCD70ADBAA4C7D09367BE485011F43CC93F8CDB6B78A42093660
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
false
7FF245D22E936F26367E04D77759AB57
3044D4690AF81CC82163B6D3404E170333909B07
38292B59D919010242643EC6C778F7AC1D78C8265F4FE9056F5C45F2A43A9D2E
C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\AdvancedRun.exe
false
17FC12902F4769AF3A9271EB4E2DACCE
9A4A1581CC3971579574F837E110F3BD6D529DAB
29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
C:\Users\user\AppData\Local\Temp\98ad118e-d099-425a-b583-efbd423fa467\test.bat
false
B2A5EF7D334BDF866113C6F4F9036AAE
F9027F2827B35840487EFD04E818121B5A8541E0
27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
C:\Users\user\AppData\Local\Temp\Matiexgoods.exe
true
80C61B903400B534858D047DD0919F0E
D0AB5400B74392308140642C75F0897E16A88D60
25ADE9899C000A27570B527CFFC938EC9626978219EC8A086082B113CBE4F492
C:\Users\user\AppData\Local\Temp\Purchase Order.exe
true
4983412EC34657BAB4A9BD56617B9960
2A5F9B3FA44597CF439B10B6337A4D1D98197A71
76C2025CB8251393360BAAC07498C75BAB91A4DB229667F3E6ED2EC89CBEA6D6
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jnw4mcb.ygh.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4s1cg2kf.1xe.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zux455h.wha.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3qm3trx.u2l.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mh5wpd4r.xxq.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyhy1zxg.gf4.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\hawkgoods.exe
true
FFDB58533D5D1362E896E96FB6F02A95
D6E4A3CA253BFC372A9A3180B5887C716ED285C6
B3D02FD5C69293DB419AC03CDF6396BD5E7765682FB3B2390454D9A52BA2CA88
C:\Users\user\AppData\Local\Temp\origigoods20.exe
true
61DC57C6575E1F3F2AE14C1B332AD2FB
F52F34623048E5FD720E97A72EEDFD32358CD3A9
1C7757EE223F2480FBC478AE2ECAF82E1D3C17F2E4D47581D3972416166C54AB
C:\Users\user\AppData\Local\Temp\origigoods40.exe
true
AE36F0D16230B9F41FFECBD3C5B1D660
88AFC2923D1EEFB70BAD3C0CD9304949954377EF
CFAD1E486666FF3FB042BA0E9967634DE1065F1BBD505C61B3295E55705A2A50
C:\Users\user\AppData\Local\WindowsAPI\Mixed_Items.exe_Url_4vyxcvojequ3efv0ai33sezp4mazprqx\4.152.723.137\yowqlu0x.newcfg
false
C4193405C45F878C5E02FA4B263142B8
AA5E3BD8F59352C154860A9B79C3FD11FB01D10B
281FB62B35A26DB9FF27EF2E651B4E854529EAD0B5853701F96C031AFE69E290
C:\Users\user\AppData\Roaming\pid.txt
false
C0826819636026DD1F3674774F06C51D
1E768A21723E530122240FA219BFF8C3365F40B2
01B23136EA7F9F8B9E72C9E125FD710301BAEC28662B0DE2168967838C79E81A
C:\Users\user\AppData\Roaming\pidloc.txt
false
EE8C153C2C2A0850DEE1BE69D03BB011
2F2FBC7ABB2EEE1DF6198FF180860516D983905A
15B7AAE18CB550E8A7B4210496289D53D84CF86ECDC4C175BBFEB789B08FC488
C:\Users\user\Documents\20210305\PowerShell_transcript.506013.0nP0+V72.20210305142754.txt
false
F69879D2324FA8DDEF956B398557F5E4
CF90260BB7E81F4B58E1EB0CDF7E4F7F2B315668
7C8D023C9F24F0AE23102B889B376FE9EE573A51E35EDE3592D61D0A32801C96
C:\Users\user\Documents\20210305\PowerShell_transcript.506013.RPfp4n8i.20210305142756.txt
false
55B592D61FB7A30573C912A818C91951
9E62843D1F6A90DD6C9D5B7156F2E236AA6FC832
2ADC8A9B9CCF3E327E228C7C2105F44FA93C0C25122BCCA07B26DE634E53DC1C
C:\Users\user\Documents\20210305\PowerShell_transcript.506013.YRcDMrIT.20210305142756.txt
false
BD2110BFCB03716BF8B4DD1A9B4FA1EC
C8752AAC9BE7358714B07FAE68972054E6B0C9C4
714D9629E7B36AA452AE2B4DB202431320629E0BB1702116DB739D219BA91155
C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe
true
017E52146C9131DBC9487D834CDFC247
6DFF831A7FD2A42EC3ABE4C1BA51F3A9C9C6A25B
26C230CDE9FB7544F7E3762F1ABAC39F6C8F0D2DB0689178B223E0E68D2A6A0A
C:\Windows\Microsoft.NET\Framework\jZCvibqWhOYmSqmemHIRbwmqVF\svchost.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
false
DCA83F08D448911A14C22EBCACC5AD57
91270525521B7FE0D986DB19747F47D34B6318AD
2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
104.16.155.36
192.168.2.1
216.146.43.70
185.157.161.113
104.21.31.39
127.0.0.1
172.67.188.154
whatismyipaddress.com
false
104.16.155.36
feromo.duckdns.org
true
185.157.161.113
freegeoip.app
false
172.67.188.154
liverpoolofcfanclub.com
true
104.21.31.39
checkip.dyndns.com
false
216.146.43.70
checkip.dyndns.org
true
unknown
157.184.7.0.in-addr.arpa
true
unknown
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Installs a global keyboard hook
Machine Learning detection for dropped file
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Yara detected Beds Obfuscator
Yara detected WebBrowserPassView password recovery tool
Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
Yara detected Remcos RAT