IOC Report
a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe

loading gif

Files

File Path
Type
Category
Malicious
a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\EHDHIDAEHC.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\ProgramData\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\mozglue.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mine[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\ProgramData\BFCAAEHJDBKJ\AAKEGI
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\BFCAAEHJDBKJ\CFCFHJ
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
dropped
C:\ProgramData\BFCAAEHJDBKJ\CGDHIE
ASCII text, with very long lines (1809), with CRLF line terminators
dropped
C:\ProgramData\BFCAAEHJDBKJ\ECFHJK
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\BFCAAEHJDBKJ\FHDAEH
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\BFCAAEHJDBKJ\GCAFCA
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
dropped
C:\ProgramData\BFCAAEHJDBKJ\IDGDAA
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\BFCAAEHJDBKJ\IJKKKF
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\BFCAAEHJDBKJ\IJKKKF-shm
data
dropped
C:\ProgramData\BFCAAEHJDBKJ\JDAKJD
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\BFCAAEHJDBKJ\JDAKJD-shm
data
dropped
C:\ProgramData\HCBAKJEHDBGH\BGIJDG
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
dropped
C:\ProgramData\HCBAKJEHDBGH\IIIEBG
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
dropped
C:\ProgramData\msvcp140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\ProgramData\vcruntime140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EHDHIDAEHC.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199747278259[1].htm
HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\76561199747278259[1].htm
HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
dropped
There are 15 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe
"C:\Users\user\Desktop\a8fb80b6e9d920c26922b29171e8301d5d4d9d4f20cd1b07cad94234b27c61be_payload.exe"
malicious
C:\ProgramData\EHDHIDAEHC.exe
"C:\ProgramData\EHDHIDAEHC.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFCAAEHJDBKJ" & exit
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\timeout.exe
timeout /t 10

URLs

Name
IP
Malicious
https://168.119.176.241/t
unknown
malicious
https://168.119.176.241/s
unknown
malicious
https://168.119.176.241/r
unknown
malicious
https://168.119.176.241/r5
unknown
malicious
https://168.119.176.241/sqls.dllI
unknown
malicious
https://168.119.176.241/sqls.dll_
unknown
malicious
http://arpdabl.zapto.org
unknown
malicious
https://168.119.176.241/s_1l
unknown
malicious
https://168.119.176.241/softokn3.dll
168.119.176.241
malicious
https://168.119.176.241938.132
unknown
https://duckduckgo.com/chrome_newtab
unknown
https://168.119.176.241/qo
unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=Dbzy
unknown
https://duckduckgo.com/ac/?q=
unknown
https://168.119.176.241/z:O
unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
unknown
http://tempuri.org/
unknown
https://www.gstatic.cn/recaptcha/
unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
unknown
http://www.valvesoftware.com/legal.htm
unknown