IOCReport

loading gif

Files

File Path
Type
Category
Malicious
345678.vbs
ASCII text, with very long lines, with CRLF line terminators
initial sample
malicious
C:\Users\user\AppData\Local\Temp\fum.cpp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.0.cs
UTF-8 Unicode (with BOM) text
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
clean
C:\Users\user\AppData\Local\Temp\RES36.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\RESCC9.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nmonbo0.fmq.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_erjsbakl.1hx.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\adobe.url
MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\Documents\20210910\PowerShell_transcript.932923.ZOkCXrTg.20210910095711.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
There are 10 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\345678.vbs'
malicious
C:\Windows\System32\rundll32.exe
rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
malicious
C:\Windows\System32\mshta.exe
'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline'
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline'
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\System32\control.exe
C:\Windows\system32\control.exe -h
malicious
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
malicious
C:\Windows\System32\rundll32.exe
'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
malicious
C:\Windows\System32\cmd.exe
cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76A9.bi1'
malicious
C:\Windows\System32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
malicious
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP'
clean
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP'
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
There are 10 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://atl.bigbigpoppa.com/ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/e
185.251.90.253
malicious
http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6P
unknown
malicious
http://atl.bigbigpoppa.com/t
unknown
malicious
http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMw
185.251.90.253
malicious