IOC Report

loading gif

Files

File Path
Type
Category
Malicious
T5dzWoyBkt.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\A9A9.exe
MS-DOS executable
dropped
malicious
C:\Users\user\AppData\Local\Temp\AD19.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\B94A.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\C48A.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\CD6F.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\DACD.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\DB1C.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\E5F9.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\EF80.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
modified
malicious
C:\Users\user\AppData\Local\Temp\npcipivi.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\eijrgvi
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\eijrgvi:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_C48A.exe_2673aa158c6a893c1138be40a650902eb2d08864_a906c4f4_16b24a5a\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9092.tmp.csv
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9487.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Jan 6 16:09:08 2022, 0x1205a4 type
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A96.tmp.txt
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E40.tmp.csv
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EBA.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F7A.tmp.txt
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA552.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA94D.tmp.csv
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB11E.tmp.txt
data
dropped
clean
C:\ProgramData\sqlite3.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EF80.exe.log
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sqlite3[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
data
dropped
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
data
dropped
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
data
dropped
clean
C:\Users\user\AppData\Local\Temp\16PP8GLX
SQLite 3.x database, last written using SQLite version 3032001
dropped
clean
C:\Users\user\AppData\Local\Temp\26FU3EKF
SQLite 3.x database, last written using SQLite version 3032001
dropped
clean
C:\Users\user\AppData\Local\Temp\5FCTR1D2
SQLite 3.x database, last written using SQLite version 3032001
dropped
clean
C:\Users\user\AppData\Local\Temp\YUAI5X4W
SQLite 3.x database, last written using SQLite version 3032001
dropped
clean
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001. (copy)
data
dropped
clean
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)
data
dropped
clean
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001.. (copy)
data
dropped
clean
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220106_160807_384.etl
data
dropped
clean
There are 27 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
malicious
C:\Users\user\Desktop\T5dzWoyBkt.exe
"C:\Users\user\Desktop\T5dzWoyBkt.exe"
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
malicious
C:\Users\user\Desktop\T5dzWoyBkt.exe
"C:\Users\user\Desktop\T5dzWoyBkt.exe"
malicious