IOC Report

loading gif

Files

File Path
Type
Category
Malicious
S9yf6BkjhTQUbHE.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S9yf6BkjhTQUbHE.exe.log
ASCII text, with CRLF line terminators
dropped
malicious

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
"C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
malicious
C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\SysWOW64\msdt.exe
C:\Windows\SysWOW64\msdt.exe
malicious
C:\Windows\SysWOW64\autoconv.exe
C:\Windows\SysWOW64\autoconv.exe
clean
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
http://www.anamentor.com/czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L
172.67.178.31
malicious
www.peptidepowder.com/czh8/
malicious
http://www.xn----pl8a630b0whm6t.com/czh8/?7n=WfBFmY7eHt5QBShHhdd2jwwFQU0Qfs4ciJop7u3ZFFtbwI7iz04mk8i
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
https://www.anamentor.com/czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG
unknown
clean

Domains

Name
IP
Malicious
www.xn----pl8a630b0whm6t.com
23.106.123.249
malicious
td-ccm-168-233.wixdns.net
34.117.168.233
malicious
cryptoentering.com
127.0.0.1
malicious
www.anamentor.com
172.67.178.31
malicious
www.fuslonnd.com
unknown
malicious
www.dock-weiler.com
unknown
malicious
www.peregorodki.store
unknown
malicious
www.annellata.xyz
unknown
malicious
www.metricwombat.com
unknown
malicious
www.fullerhomeloans.com
unknown
malicious
www.epubgame.net
unknown
malicious
www.exploitslozdz.xyz
unknown
malicious
www.cryptoentering.com
unknown
malicious
parkingpage.namecheap.com
198.54.117.218
clean
www.ichelbrousset.com
209.17.116.163
clean
There are 5 hidden domains, click here to show them.

IPs

IP
Domain
Country
Malicious
23.106.123.249
www.xn----pl8a630b0whm6t.com
Singapore
malicious
172.67.178.31
www.anamentor.com
United States
malicious

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
unkown
page execute and read and write
malicious
400000
unkown
page execute and read and write
malicious
8D0000
unkown image
page execute and read and write
malicious
2FA0000
unkown
page read and write
malicious
EC4A000
unkown image
page execute and read and write
malicious
A20000
unkown image
page execute and read and write
malicious
41A8000
unkown
page read and write
malicious
3F8D000
unkown
page read and write
malicious
EC4A000
unkown image
page execute and read and write
malicious
400000
unkown
page execute and read and write
malicious
304A000
unkown
page read and write
malicious
2F81000
unkown
page read and write
malicious
A50000
unkown image
page execute and read and write
malicious
2E90000
unkown image
page execute and read and write
malicious
77E5000
unkown
page read and write
clean
7FF5C063A000
unkown image
page readonly
clean
13DF000
stack
page read and write
clean
6310000
unkown
page read and write
clean
D12E000
unkown
page read and write
clean
8E11000
unkown
page read and write
clean
8DF5000
unkown
page read and write
clean
7FF51785B000
unkown image
page readonly
clean
7FF517C2E000
unkown image
page readonly
clean
E3E000
stack
page read and write
clean
3900000
unkown
page read and write
clean
5530000
unkown
page read and write
clean
7FF517918000
unkown image
page readonly
clean
1640000
unkown image
page readonly
clean
7DF5DC020000
unkown image
page readonly
clean
11C9000
heap default
page read and write
clean
18A4FFD0000
unkown image
page readonly
clean
7FF5176B8000
unkown image
page readonly
clean