IOC Report

loading gif

Files

File Path
Type
Category
Malicious
0f.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C5D724C1-27C1-11EC-90E9-ECF4BB862DED}.dat
Microsoft Word Document
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C5D724C3-27C1-11EC-90E9-ECF4BB862DED}.dat
Microsoft Word Document
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\down[1]
PNG image data, 15 x 15, 8-bit colormap, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\dnserror[1]
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\errorPageStrings[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\httpErrorPagesScripts[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\~DFA1D11EC49A94A948.TMP
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DFCB4F6EF3903B6C34.TMP
data
dropped
clean
There are 10 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe 'C:\Users\user\Desktop\0f.dll'
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\0f.dll,Start
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
malicious
C:\Program Files (x86)\Internet Explorer\iexplore.exe
'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2
malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
clean
C:\Program Files\internet explorer\iexplore.exe
'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
clean

URLs

Name
IP
Malicious
http://www.wikipedia.com/
unknown
clean
http://www.amazon.com/
unknown
clean
http://app5.folion.xyz/C6VmqHmn62rFCww6y4ysR/P0nI5lbrE_2FoyZm/BDBmvveWjO3LK9Q/55XxQq6CmCPdNvBaEz/m5n
unknown
clean
http://www.nytimes.com/
unknown
clean
http://www.live.com/
unknown
clean
http://app5.folion.xyz
unknown
clean
http://www.reddit.com/
unknown
clean
http://www.twitter.com/
unknown
clean
http://www.youtube.com/
unknown
clean
http://www.google.com/
unknown
clean

Domains

Name
IP
Malicious
app5.folion.xyz
unknown
malicious
windowsupdate.s.llnwi.net
178.79.242.128
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive
{C5D724C1-27C1-11EC-90E9-ECF4BB862DED}
clean
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
AdminActive
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore
Count
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore
Time
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore
Blocked
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTimeArray
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTimeArray
clean
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListPingLastYMD
clean
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListPingBitmap
clean
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListPingRandomizedBitmap
clean
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
clean
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
clean
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
clean
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
clean
There are 8 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
40A8000
heap private
page read and write
malicious
5BB9000
heap private
page read and write
malicious
40A8000
heap private
page read and write
malicious
40A8000
heap private
page read and write
malicious
40A8000
heap private
page read and write
malicious
40A8000
heap private
page read and write
malicious
11F0000
unkown
page read and write
malicious
40A8000
heap private
page read and write
malicious
A30000
unkown
page read and write
malicious
40A8000
heap private
page read and write
malicious
40A8000
heap private
page read and write
malicious
F60000
unkown
page read and write
malicious
38F9000
heap private
page read and write
malicious
40A8000
heap private
page read and write
malicious
110C000
unkown
page read and write
clean
273924D0000
heap default
page read and write
clean
C00000
heap default
page read and write
clean
7FF562B44000
unkown image
page readonly
clean
11A0000
unkown
page read and write
clean