Engine | Download Report | Detection | Info |
---|---|---|---|
|
malicious
|
||
|
malicious
Score: 80
|
System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
|
|
|
malicious
Score: 100
|
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run Condition: Potential for more IOCs and behavior
|
IP | Country | Detection |
---|---|---|
78.141.194.181 | France | |
45.67.229.125 | Moldova Republic of | |
216.239.32.21 | United States |
Name | IP | Detection |
---|---|---|
ifconfig.me | 216.239.32.21 |
Name | Detection |
---|---|
http://78.141.194.181/s34987435987.txt | |
http://45.67.229.125/c7mnnlrmfut6g1erfewlxlxniyo.php | |
http://78.141.194.181/d569872345345.txt | |
Click to see the 18 hidden entries | |
https://nuget.org/nuget.exe | |
https://github.com/Pester/Pester | |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | |
http://78.141.194.181/s34987435987.txt7C: | |
http://78.141.194.181/d569872345345.txt$$ | |
http://78.141.194.181/d5698723 | |
http://78.141.194.181/s34987435987.txtx | |
http://ifconfig.me// | |
https://contoso.com/Icon | |
http://78.141.194.181/s34987435987.txt757AE1B | |
https://contoso.com/License | |
http://78.141.194.181/ | |
https://contoso.com/ | |
http://78.141.194.181:80/s34987435987.txt | |
http://www.apache.org/licenses/LICENSE-2.0.html | |
http://pesterbdd.com/images/Pester.png | |
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. | |
http://nuget.org/NuGet.exe |
Name | File Type | Hashes | Detection |
---|---|---|---|
C:\Users\user\Desktop\COVID-19.tmp |
ASCII text, with CRLF line terminators | # | |
C:\Users\user\Desktop\COVID-19.ps1 |
Little-endian UTF-16 Unicode text, with CR, LF line terminators | # | |
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat |
ASCII text, with CRLF line terminators | # | |
Click to see the 23 hidden entries | |||
C:\Windows\Temp\__PSScriptPolicyTest_ydow2vrz.d3l.psm1 |
very short file (no magic) | # | |
C:\Windows\Temp\__PSScriptPolicyTest_jtn2f3ar.yfz.ps1 |
very short file (no magic) | # | |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive |
data | # | |
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\BIT36CF.tmp |
ASCII text | # | |
C:\Windows\SysWOW64\20210120\PowerShell_transcript.648351.s_LwcT35.20210120103152.txt |
UTF-8 Unicode (with BOM) text, with CRLF line terminators | # | |
C:\Users\user\Documents\20210120\PowerShell_transcript.648351.wAzWoynL.20210120103050.txt |
UTF-8 Unicode (with BOM) text, with CRLF line terminators | # | |
C:\Users\user\Documents\20210120\PowerShell_transcript.648351.BCz0DRM3.20210120103110.txt |
UTF-8 Unicode (with BOM) text, with CRLF line terminators | # | |
C:\Users\user\Desktop\~$VID-19.doc |
data | # | |
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC |
Little-endian UTF-16 Unicode text, with CR line terminators | # | |
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm |
data | # | |
C:\ProgramData\Microsoft\Network\Downloader\edb.log |
data | # | |
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\COVID-19.LNK |
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:50 2020, mtime=Wed Jan 20 08:30:44 2021, atime=Wed Jan 20 08:30:41 2021, length=411136, window=hide | # | |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pjrgunro.pw2.ps1 |
very short file (no magic) | # | |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmgpy3a4.cbw.ps1 |
very short file (no magic) | # | |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhkzhmez.maj.psm1 |
very short file (no magic) | # | |
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2b2zdnjw.tgz.psm1 |
very short file (no magic) | # | |
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd |
data | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive |
data | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache |
data | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\d569872345345[1].txt |
ASCII text | # | |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{DB96EF63-FF50-4F07-B9F6-FD0B9439C462}.tmp |
data | # | |
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm |
data | # | |
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db |
Extensible storage engine DataBase, version 0x620, checksum 0x0a413005, page size 16384, DirtyShutdown, Windows version 10.0 | # |