IOCReport

loading gif

Files

File Path
Type
Category
Malicious
DHL#DOCUMENTS001010.PDF.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL#DOCUMENTS001010.PDF.exe.log
ASCII text, with CRLF line terminators
modified
malicious
C:\Users\user\AppData\Local\Temp\RegAsm.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\bhjhjkek.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\bhjhjkek.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
ISO-8859 text, with no line terminators, with escape sequences
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bhjhjkek.exe.log
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
data
dropped
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
data
dropped
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
data
dropped
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
data
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
'C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe'
malicious
C:\Users\user\AppData\Local\Temp\RegAsm.exe
C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
malicious
C:\Users\user\AppData\Local\bhjhjkek.exe
'C:\Users\user\AppData\Local\bhjhjkek.exe'
malicious
C:\Users\user\AppData\Local\bhjhjkek.exe
'C:\Users\user\AppData\Local\bhjhjkek.exe'
malicious
C:\Users\user\AppData\Local\Temp\RegAsm.exe
C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
malicious

URLs

Name
IP
Malicious
startedhere.ddns.net
malicious
23.105.131.142
malicious
http://crl.thawte.com/ThawteTimestampingCA.crl0
unknown
clean
http://ocsp.thawte.com0
unknown
clean

IPs

IP
Domain
Country
Malicious
23.105.131.142
unknown
United States
malicious

Registry

Path
Value
Malicious
C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
bhjhjkek
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
30F1000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
7C2000
unkown image
page readonly
malicious
2E21000
unkown
page read and write
malicious
38C8000
unkown
page read and write
malicious
5DD0000
unkown
page read and write
malicious
2D31000
unkown
page read and write
malicious
CA2000
unkown image
page readonly
malicious
7C2000
unkown image
page readonly
malicious
3E8A000
unkown
page read and write
malicious
3ED9000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
3E7F000
unkown
page read and write
malicious
3F69000
unkown
page read and write
malicious
424A000
unkown
page read and write
malicious
3829000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
4329000
unkown
page read and write
malicious
292000
unkown image
page readonly
malicious
4008000
unkown
page read and write
malicious
CA2000
unkown image
page readonly
malicious
2ED1000
unkown
page read and write
malicious
3EF0000
unkown
page read and write
malicious
292000
unkown image
page readonly
malicious
402000
unkown
page execute and read and write
malicious
43C8000
unkown
page read and write