IOC Report

loading gif

Files

File Path
Type
Category
Malicious
Euro invoice.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Euro invoice.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Windows\System32\drivers\etc\hosts
ASCII text, with CRLF line terminators
modified
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log
ASCII text, with CRLF line terminators
modified
clean
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Euro invoice.exe
"C:\Users\user\Desktop\Euro invoice.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
malicious
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
"C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
malicious
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
"C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
http://crl.microsoft.co)X
unknown
clean
http://127.0.0.1:HTTP/1.1
unknown
clean
http://Fedebu.com
unknown
clean
https://api.ipify.org%GETMozilla/5.0
unknown
clean
http://DynDns.comDynDNS
unknown
clean
http://k5CVS3sUuqbD95uELlH.net
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
unknown
clean
https://api.ipify.org%$
unknown
clean
http://mail.vrlogistic.net
unknown
clean
There are 1 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
mail.vrlogistic.net
148.66.138.164
malicious

IPs

IP
Domain
Country
Malicious
148.66.138.164
mail.vrlogistic.net
Singapore
malicious

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
kprUEGC
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
kprUEGC
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
402000
unkown
page execute and read and write
malicious
2B61000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
3430000
unkown
page read and write
malicious
43F4000
unkown
page read and write
malicious
32EA000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
B70000
unkown image
page readonly
clean
C91000
stack
page read and write
clean
7F6F0000
unkown
page execute and read and write
clean
B60000
unkown image
page readonly
clean
1324000
unkown
page read and write
clean
5FB0000
stack
page read and write
clean
5B50000
unkown
page read and write
clean
7FF594C2F000
unkown image
page readonly
clean
6821000
unkown
page read and write
clean
5520000
unkown
page read and write
clean
59D5000
unkown
page read and write
clean
6430000
stack
page read and write
clean
298F9180000
unkown image
page readonly
clean
2A7ADC30000
unkown image
page readonly
clean
D8D000
unkown
page execute and read and write
clean
2ABB000
unkown
page execute and read and write
clean
6950000
unkown
page read and write
clean
7F852000
unkown image
page readonly
clean
7FF54483B000
unkown image
page readonly
clean
8F0000
unkown image
page readonly
clean
5FB0000
unkown
page execute and read and write
clean