IOC Report

loading gif

Files

File Path
Type
Category
Malicious
DHL_AWB 65335643399___pdf.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_AWB 65335643399___pdf.exe.log
ASCII text, with CRLF line terminators
modified
malicious
C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\49b65733-2a7e-be56-685e-64260949479e
ASCII text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\bhv3F87.tmp
Extensible storage user DataBase, version 0x620, checksum 0xf6c62795, page size 32768, DirtyShutdown, Windows version 10.0
dropped
clean
C:\Users\user\AppData\Local\Temp\bhv6484.tmp
Extensible storage user DataBase, version 0x620, checksum 0x3860e4e7, page size 32768, DirtyShutdown, Windows version 10.0
dropped
clean
C:\Users\user\AppData\Local\Temp\bhv7E75.tmp
Extensible storage user DataBase, version 0x620, checksum 0x3860e4e7, page size 32768, DirtyShutdown, Windows version 10.0
dropped
clean
C:\Users\user\AppData\Local\Temp\bhvA016.tmp
Extensible storage user DataBase, version 0x620, checksum 0x3860e4e7, page size 32768, DirtyShutdown, Windows version 10.0
dropped
clean
C:\Users\user\AppData\Local\Temp\tmp2427.tmp
Little-endian UTF-16 Unicode text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\tmp51F7.tmp
Little-endian UTF-16 Unicode text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\tmp72B7.tmp
Little-endian UTF-16 Unicode text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\tmpF619.tmp
Little-endian UTF-16 Unicode text, with no line terminators
dropped
clean
C:\Users\user\AppData\Roaming\NbJgZAsv.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Roaming\NbJgZAsv.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
clean
There are 4 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
"C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe"
malicious
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbJgZAsv" /XML "C:\Users\user\AppData\Local\Temp\tmpBB4.tmp
malicious
C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
C:\Users\user\Desktop\DHL_AWB 65335643399___pdf.exe
malicious
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp72B7.tmp
malicious
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp51F7.tmp
malicious
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2427.tmp
malicious
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF619.tmp
malicious
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF75D.tmp
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
http://www.fontbureau.comoaj%(-
unknown
clean
https://www.google.com/chrome/static/css/main.v2.min.css
unknown
clean
http://www.msn.com
unknown
clean
http://www.fontbureau.com/designers
unknown
clean
http://www.nirsoft.net
unknown
clean
https://deff.nelreports.net/api/report?cat=msn
unknown
clean
https://contextual.media.net/__media__/js/util/nrrV9140.js
unknown
clean
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
unknown
clean
http://www.zhongyicts.com.cnr-f
unknown
clean
https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
unknown
clean
https://www.google.com/chrome/
unknown
clean
http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
unknown
clean
http://www.galapagosdesign.com/DPlease
unknown
clean
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
unknown
clean
http://www.founder.com.cn/cnomp
unknown
clean
http://www.zhongyicts.com.cn
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
http://www.carterandcone.como.
unknown
clean
http://www.sandoll.co.kr=
unknown
clean
https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
unknown
clean
https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
unknown
clean
http://www.carterandcone.comc
unknown
clean
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
unknown
clean
https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
unknown
clean
https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
unknown
clean
https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
unknown
clean
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
unknown
clean
https://pki.goog/repository/0
unknown
clean
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
unknown
clean
https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
unknown
clean
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
unknown
clean
http://www.carterandcone.coml
unknown