IOC Report

loading gif

Files

File Path
Type
Category
Malicious
pago atrasado.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
initial sample
malicious
C:\Users\user\AppData\Local\Temp\nsw7E57.tmp\xpbpx.dll
PE32 executable (DLL) (native) Intel 80386, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\upukqvxhfh
data
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\pago atrasado.exe
'C:\Users\user\Desktop\pago atrasado.exe'
malicious
C:\Users\user\Desktop\pago atrasado.exe
'C:\Users\user\Desktop\pago atrasado.exe'
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\SysWOW64\colorcpl.exe
malicious
C:\Windows\SysWOW64\cmd.exe
/c del 'C:\Users\user\Desktop\pago atrasado.exe'
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
www.crisisinterventionadvocates.com/u9xn/
malicious
http://www.crisisinterventionadvocates.com/u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdo
74.208.236.134
malicious
http://www.itskosi.com/u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo
46.101.121.244
malicious
http://www.everythangbutwhite.com/u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo
3.64.163.50
malicious
http://www.highvizpeople.com/u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdo
208.91.197.27
malicious
http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf
unknown
clean
http://www.highvizpeople.com/Migraine_Pain_Relief.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans
unknown
clean
http://www.oddanimalsink.com/u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdo
34.102.136.180
clean
http://www.highvizpeople.com/__media__/js/trademark.php?d=highvizpeople.com&type=ns
unknown
clean
http://www.highvizpeople.com/song_lyrics.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FLdrtTp
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.otf
unknown
clean
http://www.highvizpeople.com/__media__/design/underconstructionnotice.php?d=highvizpeople.com
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff
unknown
clean
http://i3.cdn-image.com/__media__/pics/27587/Right.png)
unknown
clean
http://www.highvizpeople.com/px.js?ch=2
unknown
clean
http://www.highvizpeople.com/px.js?ch=1
unknown
clean
http://nsis.sf.net/NSIS_ErrorError
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix
unknown
clean
http://www.highvizpeople.com/10_Best_Mutual_Funds.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX
unknown
clean
http://www.highvizpeople.com/Best_Penny_Stocks.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2F
unknown
clean
http://www.highvizpeople.com/Accident_Lawyers.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FL
unknown
clean
http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
unknown
clean
http://i3.cdn-image.com/__media__/pics/27587/Left.png)
unknown
clean
http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
unknown
clean
http://nsis.sf.net/NSIS_Error
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
unknown
clean
http://www.highvizpeople.com/sk-logabpstatus.php?a=MzZzaVd5UDZhY0hEU3Z1UzFXVHRjNXcrTjlwaWZWbWlYbHV5Y
unknown
clean
http://i3.cdn-image.com/__media__/pics/27587/BG_2.png)
unknown
clean
http://www.everythangbutwhite.com/
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
unknown
clean
http://www.highvizpeople.com/display.cfm
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
unknown
clean
http://www.Highvizpeople.com
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
unknown
clean
http://i3.cdn-image.com/__media__/js/min.js?v2.3
unknown
clean
http://i3.cdn-image.com/__media__/pics/27586/searchbtn.png)
unknown
clean
http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot
unknown
clean
http://www.everythangbutwhite.com
unknown
clean
There are 33 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
www.everythangbutwhite.com
3.64.163.50
malicious
www.highvizpeople.com
208.91.197.27
malicious
www.itskosi.com
46.101.121.244
malicious
www.crisisinterventionadvocates.com
74.208.236.134
malicious
www.baybeg.com
unknown
malicious
www.shopthatlookboutique.com
unknown
malicious
www.christinegagnonjewellery.com
unknown
malicious
www.ttemola.com
unknown
malicious
www.oddanimalsink.com
unknown
malicious
www.ishhs.xyz
unknown
malicious
www.sfcn-dng.com
unknown
malicious
www.umgaleloacademy.com
unknown
malicious
oddanimalsink.com
34.102.136.180
clean
shops.myshopify.com
23.227.38.74
clean
There are 4 hidden domains, click here to show them.

IPs

IP
Domain
Country
Malicious
208.91.197.27
www.highvizpeople.com
Virgin Islands (BRITISH)
malicious
3.64.163.50
www.everythangbutwhite.com
United States
malicious
46.101.121.244
www.itskosi.com
Netherlands
malicious
74.208.236.134
www.crisisinterventionadvocates.com
United States
malicious
34.102.136.180
oddanimalsink.com
United States
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
8E0000
unkown image
page execute and read and write
malicious
6D43000
unkown image
page execute and read and write
malicious
400000
unkown image
page execute and read and write
malicious