IOCReport

loading gif

Files

File Path
Type
Category
Malicious
0HvIGwMmBV.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0xae08ab15, page size 16384, DirtyShutdown, Windows version 10.0
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
dropped
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
data
dropped
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
data
dropped
clean
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
data
dropped
clean
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
dropped
clean
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
data
modified
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\0HvIGwMmBV.exe
'C:\Users\user\Desktop\0HvIGwMmBV.exe'
malicious
C:\Users\user\Desktop\0HvIGwMmBV.exe
C:\Users\user\Desktop\0HvIGwMmBV.exe
malicious
C:\Windows\SysWOW64\servicerpc.exe
C:\Windows\SysWOW64\servicerpc.exe
malicious
C:\Windows\SysWOW64\servicerpc.exe
C:\Windows\SysWOW64\servicerpc.exe
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
malicious
C:\Windows\System32\SgrmBroker.exe
C:\Windows\system32\SgrmBroker.exe
clean
C:\Program Files\Windows Defender\MpCmdRun.exe
'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
There are 4 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
unknown
clean
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
unknown
clean
https://dev.ditu.live.com/REST/v1/Routes/
unknown
clean
https://dev.virtualearth.net/REST/v1/Routes/Driving
unknown
clean
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
unknown
clean
https://t0.tiles.ditu.live.com/tiles/gen
unknown
clean
https://dev.virtualearth.net/REST/v1/Routes/
unknown
clean
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
unknown
clean
https://dev.virtualearth.net/REST/v1/Routes/Walking
unknown
clean
https://79.172.249.82:443/
79.172.249.82
clean
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
unknown
clean
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
unknown
clean
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
unknown
clean
https://%s.xboxlive.com
unknown
clean
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
unknown
clean
https://dev.virtualearth.net/REST/v1/Locations
unknown
clean
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
unknown
clean
https://dev.virtualearth.net/mapcontrol/logging.ashx
unknown
clean
https://dev.ditu.live.com/mapcontrol/logging.ashx
unknown
clean
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
unknown
clean
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
unknown
clean
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
unknown
clean
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
unknown
clean
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
unknown
clean
https://dynamic.t
unknown
clean
https://dev.virtualearth.net/REST/v1/Routes/Transit
unknown
clean
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
unknown
clean
https://appexmapsappupdate.blob.core.windows.net
unknown
clean
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
unknown
clean
https://activity.windows.com
unknown
clean
http://www.bingmapsportal.com
unknown
clean
https://dev.ditu.live.com/REST/v1/Locations
unknown
clean
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
unknown
clean
https://%s.dnet.xboxlive.com
unknown
clean
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
unknown
clean
There are 25 hidden URLs, click here to show them.

IPs

IP
Domain
Country
Malicious
193.169.54.12
unknown
Germany
clean
192.168.2.1
unknown
unknown
clean
173.230.145.224
unknown
United States
clean
79.172.249.82
unknown
Hungary
clean
127.0.0.1
unknown
unknown
clean

Registry

Path
Value
Malicious
C:\Windows\System32\svchost.exe
cval
malicious
C:\Windows\System32\svchost.exe
cval
malicious