IOCReport

loading gif

Files

File Path
Type
Category
Malicious
presentation[2021.09.09_15-26].vbs
ASCII text, with very long lines, with CRLF line terminators
initial sample
malicious
C:\Users\user\AppData\Local\Temp\fum.cpp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.0.cs
UTF-8 Unicode (with BOM) text
dropped
malicious
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
modified
clean
C:\Users\user\AppData\Local\Temp\RESDDD0.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\RESEAC0.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbwk5wqt.vfi.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkeod5lv.u3f.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\adobe.url
MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\Documents\20210913\PowerShell_transcript.936905.2Hrty1Wv.20210913110432.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
There are 9 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\presentation[2021.09.09_15-26].vbs'
malicious
C:\Windows\System32\rundll32.exe
rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
malicious
C:\Windows\System32\mshta.exe
'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline'
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline'
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\System32\control.exe
C:\Windows\system32\control.exe -h
malicious
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDDD0.tmp' 'c:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP'
clean
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESEAC0.tmp' 'c:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP'
clean
There are 5 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://art.microsoftsofymicrosoftsoft.at/0QTFQ19LsLPPw2WV1xJ/YcBhtZLzUs6CSioSs9dLnb/aEb6zuvJhqdcs/1Hb1sg90/RWaFAF1NEpmrckuTWKaPqAA/24G0Hczqd6/RbhQoaSPqBLCdZu1n/MpE8YBnCkgqe/EyYs8PTQfhS/e3P4PnLK5TJvEZ/zj0oBbuVnCwlxQAQ_2FhY/0Zu1rFoV_2B4IBxL/S0k_2BzfYQGXk4l/RlIY9NCU_2Bq2C0qZR/XkIkWaJBq/tdpiFuEgu5qCEOsijppu/WtAIhPYjfYVFXMRTyYR/vZDnI_2BfmuNdCFB6L924B/9580GsWQ3CLj4/gdGO_2FS/6
188.127.235.42
malicious
http://art.microsoftsofymicrosoftsoft.at/J7vFZ3DnKfP9_2BLqsOzhE/_2B0sX39iqKXX/xRC3_2Bn/FR7I7tC4Y_2BKbKZhTipXKo/Y68Clp5syo/AKjqJkiRp4I9iXaE1/6hTqbwupKV0Z/G7JGvRt1lPU/_2FoM5FRPpNFQ7/Q0DKQKOrk_2B_2BMtgkLi/AHH7yDMmOl_2BC_2/Bw6mGTTnqH2yR_2/BWwJ_2BspWSt3ypb_2/B3jzGWYjP/wQws_2BBySwRC_2FSzoA/9eCjcMJ9yhEG_2BMBin/PBuDF_2BwHt7nPiirKF3ia/yI6rUSMPL1t1W/Tqi6oYDf/4qfPSjhH9hVkFRq5vohLKMn/uKsZDY_2Bm7_2FTYT00/CD
188.127.235.42
malicious
http://atl.bigbigpoppa.com/_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw
188.127.235.42
malicious
http://atl.bigbigpoppa.com/ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5
188.127.235.42
malicious
http://atl.bigbigpoppa.com/fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W
188.127.235.42
malicious
http://crl.m-
unknown
clean
http://nuget.org/NuGet.exe
unknown
clean
http://constitution.org/usdeclar.txt
unknown
clean
http://pesterbdd.com/images/Pester.png
unknown
clean
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
clean
https://contoso.com/
unknown
clean
https://nuget.org/nuget.exe
unknown
clean
http://constitution.org/usdeclar.txtC:
unknown
clean
https://contoso.com/License
unknown
clean
https://contoso.com/Icon
unknown
clean
http://https://file://USER.ID%lu.exe/upd
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
https://github.com/Pester/Pester
unknown
clean
There are 8 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
art.microsoftsofymicrosoftsoft.at
188.127.235.42
malicious