IOCReport

loading gif

Files

File Path
Type
Category
Malicious
0TOEtGJHN8.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Network\Downloader\edb.chk
data
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0x8681bdb8, page size 16384, DirtyShutdown, Windows version 10.0
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
dropped
clean
C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.d (copy)
XML 1.0 document, ASCII text, with very long lines, with no line terminators
dropped
clean
C:\ProgramData\USOPrivate\UpdateStore\updatestoretemp51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml
XML 1.0 document, ASCII text, with very long lines, with no line terminators
dropped
clean
C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.001.etl (copy)
data
dropped
clean
C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration_Temp.1.etl
data
dropped
clean
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
dropped
clean
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
data
modified
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\0TOEtGJHN8.exe
'C:\Users\user\Desktop\0TOEtGJHN8.exe'
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
malicious
C:\Windows\SysWOW64\keyiso\mfnetsrc.exe
C:\Windows\SysWOW64\keyiso\mfnetsrc.exe
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -p
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
malicious
C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe
C:\Windows\SysWOW64\KBDOGHAM\signdrv.exe
malicious
C:\Windows\System32\SgrmBroker.exe
C:\Windows\system32\SgrmBroker.exe
clean
C:\Program Files\Windows Defender\MpCmdRun.exe
'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
There are 9 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://59.125.219.109:443/VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/
59.125.219.109
malicious
http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/b4ILIf/Q8rZVqkkq/rDnmG2Ans/
unknown
clean
https://dev.ditu.live.com/REST/v1/Routes/
unknown
clean
https://dev.virtualearth.net/REST/v1/Routes/Driving
unknown
clean
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
unknown
clean
https://corp.roblox.com/contact/
unknown
clean
http://102.182.145.130/Zffxf
unknown
clean
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
unknown
clean
https://t0.tiles.ditu.live.com/tiles/gen
unknown
clean
http://64.207.182.168:8080/OQYP1ogFQccmQuTysw1/v0tPhparrkDhC/NKHirfkcd6IUp4b2kRd/qhg8GSGX1b4ILIf/Q8r
unknown
clean
https://dev.virtualearth.net/REST/v1/Routes/Walking
unknown
clean
http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/A
unknown
clean
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
unknown
clean
http://172.104.97.173:8080/NrjO6cKOEtsgnTfdu/DdqP4I6wYv/OEK9fq/iwQk9ak8yU1H9c63AU/
unknown
clean
https://dev.ditu.live.com/mapcontrol/logging.ashx
unknown
clean
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
unknown
clean
http://59.125.219.109:443/VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/
unknown
clean
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
unknown
clean
http://www.g5e.com/G5_End_User_License_Supplemental_Terms
unknown
clean
https://dev.virtualearth.net/REST/v1/Transit/Schedules/
unknown
clean
http://218.147.193.146/GJXuLUUeqrq95alY1u/oD6pJ15oDS4/Z4M9h0lWKV4FEH0yB/k3vm9W8xS/TW0iKm9TEcJ7gRi0P/
unknown
clean
https://appexmapsappupdate.blob.core.windows.net
unknown
clean
https://en.help.roblox.com/hc/en-us
unknown
clean
http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/t
unknown
clean
http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/u
unknown
clean
http://www.bingmapsportal.com
unknown
clean
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
unknown
clean
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
unknown
clean
https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
unknown
clean
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
unknown