IOC Report
pDut.azdgC

loading gif

Files

File Path
Type
Category
Malicious
pDut.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5ae826728d25cb185b65052fe76417bde20f1c2_7cac0383_1a83caea\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_64868dc4c92d6a6e56598a58e1863903bd4390_7cac0383_19679841\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d4707724df8dacf8df1a948061d31053afc578b_7cac0383_150f7325\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AB9.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:14 2022, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6ED1.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7162.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E12.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:19 2022, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8518.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER893F.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB176.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Apr 22 22:32:32 2022, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8E9.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC02E.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
C:\Users\user\AppData\Local\Temp\41kkxng4.0.cs
UTF-8 Unicode (with BOM) text
dropped
C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\41kkxng4.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\41kkxng4.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
modified
C:\Users\user\AppData\Local\Temp\CSC9452DD6E90C74A5284F45229D37BC.TMP
MSVC .res
dropped
C:\Users\user\AppData\Local\Temp\CSCE5529B6452BD443991E7FB86A88433C.TMP
MSVC .res
dropped
C:\Users\user\AppData\Local\Temp\RES3B19.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x47e, 9 symbols
dropped
C:\Users\user\AppData\Local\Temp\RES52D7.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zn2pbeb.bx3.ps1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkbxlwnt.njb.psm1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\cweuuamv.0.cs
UTF-8 Unicode (with BOM) text
dropped
C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\cweuuamv.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\cweuuamv.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
modified
C:\Users\user\Documents\20220422\PowerShell_transcript.210979.yN_Qw8z3.20220422153314.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
dropped
There are 19 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1
malicious
C:\Windows\System32\mshta.exe
C:\Windows\System32\mshta.exe" "about:<hta:application><script>Wefk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wefk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iqioaqncxw -value gp; new-alias -name fchfny -value iex; fchfny ([System.Text.Encoding]::ASCII.GetString((iqioaqncxw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
malicious
C:\Windows\System32\control.exe
C:\Windows\system32\control.exe -h
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\pDut.dll
malicious
C:\Windows\System32\PING.EXE
ping localhost -n 5
malicious
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
malicious
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil qe "application" /c:100 /rd:false
malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\pDut.dll"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 268
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B19.tmp" "c:\Users\user\AppData\Local\Temp\CSC9452DD6E90C74A5284F45229D37BC.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES52D7.tmp" "c:\Users\user\AppData\Local\Temp\CSCE5529B6452BD443991E7FB86A88433C.TMP"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1