IOCReport

loading gif

Files

File Path
Type
Category
Malicious
start[2021.09.09_15-26].vbs
ASCII text, with very long lines, with CRLF line terminators
initial sample
malicious
C:\Users\user\AppData\Local\Temp\fum.cpp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\adobe.url
MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[2021.09.09_15-26].vbs'
malicious
C:\Windows\System32\rundll32.exe
rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
malicious
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
clean

URLs

Name
IP
Malicious
http://atl.bigbigpoppa.com/
unknown
malicious
http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2
185.251.90.253
malicious
http://atl.bigbigpoppa.com/R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT
unknown
malicious
http://pop.bigbigpoppa.com/
unknown
malicious
http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5c
unknown
malicious
http://atl.bigbigpoppa.com/0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d
unknown
malicious

Domains

Name
IP
Malicious
pop.urlovedstuff.com
185.251.90.253
malicious
atl.bigbigpoppa.com
185.251.90.253
malicious

IPs

IP
Domain
Country
Malicious
185.251.90.253
pop.urlovedstuff.com
Russian Federation
malicious

Registry

Path
Value
Malicious
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
IE10RunOnceLastShown
clean
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
IE10RunOnceLastShown_TIMESTAMP
clean
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
Check_Associations
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
50C8000
heap private
page read and write
malicious
50C8000
heap private
page read and write
malicious
B30000
unkown
page execute and read and write
malicious
50C8000
heap private
page read and write
malicious
50C8000
heap private
page read and write
malicious
50C8000
heap private
page read and write
malicious
50C8000
heap private
page read and write
malicious
50C8000
heap private
page read and write
malicious
50C8000
heap private
page read and write
malicious
50C8000
heap private
page read and write
malicious
262C1C14000
unkown
page read and write
clean
262C27BC000
unkown
page read and write
clean
262C5114000
unkown
page read and write
clean
262C1BF8000
unkown
page read and write
clean
7FF5ACE0C000
unkown image
page readonly
clean
262C5454000
unkown
page read and write
clean
7DF5E5C80000
unkown image
page readonly
clean
233D0394000
unkown
page read and write
clean
7244A7E000
unkown
page read and write
clean
1D106300000
unkown
page read and write
clean
1BCF6A20000
unkown
page read and write
clean
7DF52AE20000
unkown image
page readonly
clean
7DF4BF0A0000
unkown image
page readonly
clean
7FF50AA37000
unkown image
page readonly
clean
1FF15C02000
unkown
page read and write
clean
7FF528352000
unkown image
page readonly
clean
7FF53DB39000
unkown image
page readonly
clean
7FF5AEDE6000
unkown image
page readonly
clean
262C1BF2000
unkown
page read and write
clean
7FF5D3898000
unkown image
page readonly
clean
233D0392000
unkown
page read and write
clean
7FF56FCDC000
unkown image
page readonly
clean
7DF44E520000
unkown image
page readonly
clean
7FF517EF9000
unkown image
page readonly
clean
262C519D000
unkown
page read and write
clean
7FF528210000
unkown image
page readonly
clean
262C4001000
unkown
page read and write
clean
7FF52CD61000
unkown image
page readonly
clean
233D0386000
unkown
page read and write
clean
1A165A76000
unkown
page read and write
clean
BD0000
unkown
page read and write
clean
233D0802000
unkown
page read and write
clean
1BCF1400000
unkown
page read and write
clean
1BCF6908000
unkown
page read and write
clean
233D03D5000
unkown
page read and write
clean
1BCF2760000
unkown
page read and write
clean
233D034A000
unkown
page read and write
clean
7FF50A9E9000
unkown image
page readonly
clean