IOC Report
file.exe

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo

ASCII text, with very long lines (60465), with no line terminators

dropped

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Extensible storage engine DataBase, version 0x620, checksum 0xe5740021, page size 16384, DirtyShutdown, Windows version 10.0

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

data

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvwfq23h.o4c.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\sp4c0p22.default-release\cert9.db

SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\Users\user\AppData\Local\Temp\sp4c0p22.default-release\key4.db

SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmp2F6E.tmp.dat

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmp315D.tmp.dat

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\Users\user\AppData\Local\Temp\tmp5C61.tmp.dat

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\Users\user\AppData\Local\Temp\tmp8EFE.tmp.dat

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\tmp9256.tmp.dat

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmp976F.tmp.dat

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmp9F86.tmp.dat

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmp9FB6.tmp.dat

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

modified

C:\Users\user\AppData\Local\Temp\tmpBA4B.tmp.dat

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmpE29F.tmp.dat

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\Users\user\AppData\Local\Temp\tmpF0C5.tmp.dat

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmpFE3A.tmp.dat

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Curan158\Housty\begrets.inc

HTML document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Maeterlinck.Mid152

data

dropped

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

JSON data

dropped

There are 12 hidden files, click here to show them.

URLs

Name

IP

Malicious

http://crowninter.com/jAscfKcoNcxeCpbJ57.bin

174.142.247.185

http://icanhazip.com/

104.16.185.241

http://ip-api.com/line/?fields=hosting

208.95.112.1

Domains

Name

IP

Malicious

whatismyipaddressnow.co

104.21.71.78

Details

Name:	whatismyipaddressnow.co
IP:	104.21.71.78
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

crowninter.com

174.142.247.185

Details

Name:	crowninter.com
IP:	174.142.247.185
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

icanhazip.com

104.16.185.241

Details

Name:	icanhazip.com
IP:	104.16.185.241
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

169.241.9.0.in-addr.arpa

unknown

IPs

IP

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

174.142.247.185

crowninter.com

Canada

23.221.242.90

unknown

United States

104.16.185.241

icanhazip.com

United States

104.21.71.78

whatismyipaddressnow.co

United States

Details

IP:	104.21.71.78
TargetID:	18
Current Path:	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	whatismyipaddressnow.co

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

127.0.0.1

unknown

unknown