IOCReport

loading gif

Files

File Path
Type
Category
Malicious
eZY2eXORIp.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C85B3E60-1243-11EC-90E5-ECF4BB570DC9}.dat
Microsoft Word Document
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE1A57EA-1243-11EC-90E5-ECF4BB570DC9}.dat
Microsoft Word Document
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C85B3E62-1243-11EC-90E5-ECF4BB570DC9}.dat
Microsoft Word Document
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EE1A57EC-1243-11EC-90E5-ECF4BB570DC9}.dat
Microsoft Word Document
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\dnserror[1]
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\errorPageStrings[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\httpErrorPagesScripts[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\down[1]
PNG image data, 15 x 15, 8-bit colormap, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\httpErrorPagesScripts[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\NewErrorPageTemplate[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\NewErrorPageTemplate[2]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\dnserror[1]
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\down[1]
PNG image data, 15 x 15, 8-bit colormap, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\errorPageStrings[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
ASCII text, with CRLF line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\~DF19831833E1675488.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF56A785732A2B1070.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF97D4377F1C48C61D.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DFB0F1E322AEAF92F9.TMP
data
dropped
clean
There are 19 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\eZY2eXORIp.exe
'C:\Users\user\Desktop\eZY2eXORIp.exe'
malicious
C:\Program Files (x86)\Internet Explorer\iexplore.exe
'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6212 CREDAT:17410 /prefetch:2
malicious
C:\Program Files (x86)\Internet Explorer\iexplore.exe
'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2
malicious
C:\Program Files\internet explorer\iexplore.exe
'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
clean
C:\Program Files\internet explorer\iexplore.exe
'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
clean

URLs

Name
IP
Malicious
https://haverit.xyz/index.htm
unknown
clean
http://www.nytimes.com/
unknown
clean
https://haverit.xyz/index.htmbY
unknown
clean
https://sectigo.com/CPS0
unknown
clean
http://ocsp.sectigo.com0
unknown
clean
https://haverit.xyz/index.htmdex.htm
unknown
clean
http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
unknown
clean
https://haverit.xyz/
unknown
clean
http://www.youtube.com/
unknown
clean
http://www.wikipedia.com/
unknown
clean
http://www.amazon.com/
unknown
clean
https://haverit.xyz
unknown
clean
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
unknown
clean
http://www.live.com/
unknown
clean
https://haverit.xyz/index.htm5
unknown
clean
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
unknown
clean
http://www.reddit.com/
unknown
clean
http://www.twitter.com/
unknown
clean
https://haverit.xyz/index.htmRoot
unknown
clean
http://www.google.com/
unknown
clean
There are 10 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
haverit.xyz
unknown
malicious

IPs

IP
Domain
Country
Malicious
192.168.2.1
unknown
unknown
clean

Registry

Path
Value
Malicious
C:\Program Files\internet explorer\iexplore.exe
{C85B3E60-1243-11EC-90E5-ECF4BB570DC9}
clean
C:\Program Files\internet explorer\iexplore.exe
Count
clean
C:\Program Files\internet explorer\iexplore.exe
Time
clean
C:\Program Files\internet explorer\iexplore.exe
Blocked
clean
C:\Program Files\internet explorer\iexplore.exe
Count
clean
C:\Program Files\internet explorer\iexplore.exe
Time
clean
C:\Program Files\internet explorer\iexplore.exe
Count
clean
C:\Program Files\internet explorer\iexplore.exe
Time
clean
C:\Program Files\internet explorer\iexplore.exe
LoadTimeArray
clean