IOC Report

loading gif

Files

File Path
Type
Category
Malicious
cK1g5gckZR9VHjj.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cK1g5gckZR9VHjj.exe.log
ASCII text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
"C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
malicious
C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
malicious
C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
malicious
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
http://www.dragonmodz.net/udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd
142.252.22.166
malicious
http://www.qzttb.net/udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd
154.94.210.101
malicious
http://www.royaldears.com/udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd
3.64.163.50
malicious
www.spoiledzone.com/udeh/
malicious
http://www.autoitscript.com/autoit3/J
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean

Domains

Name
IP
Malicious
www.qzttb.net
154.94.210.101
malicious
www.royaldears.com
3.64.163.50
malicious
www.dragonmodz.net
142.252.22.166
malicious
www.pittsburghdata.center
209.17.116.163
malicious
www.blueprintroslyn.com
unknown
malicious

IPs

IP
Domain
Country
Malicious
142.252.22.166
www.dragonmodz.net
United States
malicious
154.94.210.101
www.qzttb.net
Seychelles
malicious
3.64.163.50
www.royaldears.com
United States
malicious
209.17.116.163
www.pittsburghdata.center
United States
malicious

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
unkown
page execute and read and write
malicious
400000
unkown
page execute and read and write
malicious
33D0000
unkown
page read and write
malicious
400000
unkown
page execute and read and write
malicious
E6B1000
unkown image
page execute and read and write
malicious
3090000
unkown image
page execute and read and write
malicious
F80000
unkown image
page execute and read and write
malicious
2BD1000
unkown
page read and write
malicious
E6B1000
unkown image
page execute and read and write
malicious
2C9A000
unkown
page read and write
malicious
12F0000
unkown image
page execute and read and write
malicious
3DF6000
unkown
page read and write
malicious
2DC0000
unkown image
page execute and read and write
malicious
6260000
unkown
page read and write
clean
2EF4000
unkown
page read and write
clean
7FF599CCF000
unkown image
page readonly
clean
7F430000
unkown image
page readonly
clean
7FF599FE7000
unkown image
page readonly
clean
5B52000
heap private
page read and write
clean
145BD3C000
unkown
page read and write
clean
7FF59A2F7000
unkown image
page readonly
clean
801C000
unkown
page read and write
clean
6D8E000
unkown image
page readonly
clean
7FF579A38000
unkown image
page readonly
clean
F4A000
unkown
page read and write
clean
7FFD714BD000
unkown image
page write copy
clean
5380000
unkown
page read and write
clean
5190000
unkown
page read and write
clean
280FAA70000
unkown image
page readonly
clean
18448EAF000
unkown
page read and write
clean
50F8000
unkown
page read and write
clean
1B1498BC000
unkown
page read and write
clean
7FF512B1B000
unkown image
page readonly
clean
28C5000
unkown
page read and write