Sample File: MD5 hash: 39669b01da7e6072c925892520188713 SHA1 hash: e3cf806edca0e8ab8cbc55f4cb5b7a47520a284c SHA256 hash: eb54f4c20a3c751c77aa152fc22d39c3069b7231bd687a85e231cdb2222df753 SSDEEP hash: 49152:nWMaXXHd/CWKvtHMLCj3llgUmWEAHtkzCk75:/aH969FH0g7gUmrz Filename(s): bild.exe Filetype: Windows Exe (x86-64) Mutex IOCs: - None - Registry Key IOCs: HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\Environment\PSMODULEPATH HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB HKEY_PERFORMANCE_DATA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging Directory HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Log File Max Size HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger Domain IOCs: - None - IP IOCs: - None - URL IOCs: - None - File IOCs: Filenames: powershell.exe powershell.exe.bat C:\Windows\System32\Wbem\powershell.exe.com C:\Windows\System32\Wbem\powershell.exe.wsh C:\Windows\System32\Wbem\powershell.exe.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\bild.exe C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 powershell.exe.vbs C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\powershell.exe.exe C:\Windows\system32\powershell.exe.bat C:\Windows\powershell.exe.jse powershell.exe.wsf powershell.exe.msc C:\Windows\system32\powershell.exe.jse C:\Windows\system32\powershell.exe.vbe C:\Windows\System32\Wbem\powershell.exe.vbe powershell.exe.com C:\Windows\System32\Wbem\powershell.exe.wsf C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\profile.ps1 C:\Windows\System32\Wbem\powershell.exe.jse C:\Windows\system32\powershell.exe.wsf C:\Windows\powershell.exe.cmd C:\Windows\System32\Wbem\powershell.exe.bat C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml C:\Windows\system32\vssadmin.exe C:\Users\5p5NrGJn0jS HALPmcxz C:\Windows\system32\powershell.exe.com C:\Windows\powershell.exe C:\Windows\powershell.exe.com powershell.exe.js C:\Windows\system32\powershell.exe.vbs powershell.exe.wsh C:\Windows\System32\Wbem\powershell.exe.cmd C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml C:\Windows\powershell.exe.js powershell.exe.vbe C:\Windows\powershell.exe.vbs C:\Windows\System32\Wbem\powershell.exe.msc C:\Windows\system32\powershell.exe C:\Windows\system32\powershell.exe.exe powershell.exe.cmd C:\Windows\powershell.exe.wsf C:\Users\5p5NrGJn0jS HALPmcxz\Desktop C:\Windows\system32\powershell.exe.wsh C:\Users C:\Windows\system32\powershell.exe.msc C:\Windows\System32\Wbem\powershell.exe.js C:\Windows\system32\net.exe C:\Windows\powershell.exe.wsh C:\Windows\system32\powershell.exe.cmd C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml C:\Windows\powershell.exe.msc C:\Windows\System32\Wbem\powershell.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 C:\Windows\powershell.exe.bat C:\Windows\powershell.exe.vbe powershell.exe.jse C:\Windows\system32\powershell.exe.js C:\Windows\System32\WindowsPowerShell\v1.0 C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml C:\Windows\system32\reg.exe C:\Windows\System32\Wbem\powershell.exe C:\Windows\System32\Wbem\WMIC.exe powershell.exe.exe C:\ MD5 hashes: 39669b01da7e6072c925892520188713 SHA1 hashes: e3cf806edca0e8ab8cbc55f4cb5b7a47520a284c SHA256 hashes: eb54f4c20a3c751c77aa152fc22d39c3069b7231bd687a85e231cdb2222df753 SSDEEP hashes: 49152:nWMaXXHd/CWKvtHMLCj3llgUmWEAHtkzCk75:/aH969FH0g7gUmrz