IOC Report

loading gif

Files

File Path
Type
Category
Malicious
16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\72E0.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\2923.exe
PE32 executable (GUI) Intel 80386, for MS Windows
modified
malicious
C:\Users\user\AppData\Local\Temp\495E.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
dropped
malicious
C:\Users\user\AppData\Local\Temp\72E0.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\hrsafib
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\hrsafib:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_60bf1a1728929f938e749327f53c25cfc2e1c9_85207d7d_0c54a73a\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER427.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEA8.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\WEREE3C.tmp.WERDataCollectionStatus.txt
Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\Wamozart6.dat
DOS executable (COM)
dropped
clean
C:\Users\user\AppData\Local\Temp\a.txt
ASCII text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\nsz84C.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
clean
There are 4 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe
"C:\Users\user\Desktop\16c6a61f609b7ef5cd13fc587805018efad3be4254591.exe"
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Users\user\AppData\Roaming\hrsafib
C:\Users\user\AppData\Roaming\hrsafib
malicious
C:\Users\user\AppData\Local\Temp\72E0.exe
C:\Users\user\AppData\Local\Temp\72E0.exe
malicious
C:\Users\user\AppData\Local\Temp\72E0.exe
C:\Users\user\AppData\Local\Temp\72E0.exe
malicious
C:\Users\user\AppData\Local\Temp\72E0.exe
C:\Users\user\AppData\Local\Temp\72E0.exe
malicious
C:\Users\user\AppData\Local\Temp\2923.exe
C:\Users\user\AppData\Local\Temp\2923.exe
malicious
C:\Users\user\AppData\Local\Temp\495E.exe
C:\Users\user\AppData\Local\Temp\495E.exe
malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 8
clean

URLs

Name
IP
Malicious
http://45.9.20.240:7769/Igno.exe
45.9.20.240
malicious
http://e-lanpengeonline.com/upload/
malicious
http://185.112.83.8/InjectHollowing.bin
malicious
http://185.112.83.8/install3.exe
185.112.83.8
malicious
http://galala.ru/upload/
malicious
http://witra.ru/upload/
malicious
http://rcacademy.at/upload/
91.139.196.113
malicious
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
unknown
clean
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
unknown
clean
https://duckduckgo.com/chrome_newtab
unknown
clean
http://service.r
unknown
clean
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
unknown
clean
https://duckduckgo.com/ac/?q=
unknown
clean
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
unknown
clean
http://tempuri.org/Entity/Id12Response
unknown
clean
http://tempuri.org/
unknown
clean
http://tempuri.org/Entity/Id2Response
unknown
clean
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
unknown
clean
http://tempuri.org/Entity/Id21Response
unknown
clean
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
unknown
clean
http://tempuri.org/Entity/Id9
unknown
clean
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
unknown
clean
http://tempuri.org/Entity/Id8
unknown
clean
http://tempuri.org/Entity/Id5
unknown
clean
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
unknown
clean
http://tempuri.org/Entity/Id4
unknown
clean
http://tempuri.org/Entity/Id7
unknown
clean
http://tempuri.org/Entity/Id6
unknown
clean
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
unknown
clean
https://support.google.com/chrome/?p=plugin_real
unknown
clean
http://tempuri.org/Entity/Id19Response
unknown
clean
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
unknown
clean
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
unknown
clean
http://www.interoperabilitybridges.com/wmp-extension-for-chrome
unknown
clean