IOCReport

loading gif

Files

File Path
Type
Category
Malicious
start[526268].vbs
ASCII text, with very long lines, with CRLF line terminators
initial sample
malicious
C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\fum.cpp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.0.cs
UTF-8 Unicode (with BOM) text
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
clean
C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\RESFECC.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b51iw0xu.4zo.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upl555bt.hac.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\adobe.url
MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\Documents\20210910\PowerShell_transcript.767668.YlCTH0VE.20210910070227.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
There are 6 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[526268].vbs'
malicious
C:\Windows\System32\rundll32.exe
rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
malicious
C:\Windows\System32\mshta.exe
'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'
malicious
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP'
clean
There are 1 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://art.microsoftsofymicrosoftsoft.at/fpsVrgA85_2/BZUV9Iws3c_2Fj/GkkWmnklFKPgFBQ8hMP6W/ISGgirn8yOZisrZs/5_2BH8scRlnvRek/EGKptIwp8lSo93GFx6/ymWkd9jdg/4KpkPYuuZAAAek8BuLEK/tznSDyfWtC0KjQGP2d_/2BrsiHfOmQlV7YgPTes0MP/b6lv_2B55mg9j/CZcF_2Fn/c7jP_2BxBvmhfldW4gAwZkY/uow0BznEMg/Wu3a_2FnHyKBj_2BJ/8ZnXzqvUM8Ze/cMFtkguu1z4/ENTz8901wZ21V2/97iMfuV3Gozq6_2FCxmu3/2vuyb0vOGb_2B1J_/2BS8kN2df/902r
185.251.90.253
malicious
http://atl.bigbigpoppa.com/NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZu
185.251.90.253
malicious
http://nuget.org/NuGet.exe
unknown
clean
http://pesterbdd.com/images/Pester.png
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
clean
https://github.com/Pester/Pester
unknown
clean
https://contoso.com/
unknown
clean
https://nuget.org/nuget.exe
unknown
clean
https://contoso.com/License
unknown
clean
https://contoso.com/Icon
unknown
clean
There are 1 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
art.microsoftsofymicrosoftsoft.at
185.251.90.253
malicious
atl.bigbigpoppa.com
185.251.90.253
malicious
resolver1.opendns.com
208.67.222.222
clean

IPs

IP
Domain
Country
Malicious
185.251.90.253
art.microsoftsofymicrosoftsoft.at
Russian Federation
malicious

Registry

Path
Value
Malicious
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
IE10RunOnceLastShown
clean
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
IE10RunOnceLastShown_TIMESTAMP
clean
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
Check_Associations
clean
C:\Windows\System32\wbem\WmiPrvSE.exe
UtilDate
clean
C:\Windows\System32\wbem\WmiPrvSE.exe
TextPicture
clean
C:\Windows\System32\wbem\WmiPrvSE.exe
UtilTool
clean
C:\Windows\System32\wbem\WmiPrvSE.exe
DeviceFile
clean
C:\Windows\System32\wbem\WmiPrvSE.exe
SettingsDocument
clean
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
clean
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ContactControl
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
5768000
heap private
page read and write
malicious
56E9000
heap private
page read and write
malicious
5768000