IOC Report

loading gif

Files

File Path
Type
Category
Malicious
6zsU4O4WHq.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\52A0.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\6687.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\74E0.exe
PE32 executable (console) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\8E93.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\8F12.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\9991.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\A5E6.exe
MS-DOS executable
dropped
malicious
C:\Users\user\AppData\Local\Temp\ADC7.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\B299.exe
PE32 executable (console) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\D08E.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\E09C.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
modified
malicious
C:\Users\user\AppData\Local\Temp\lsjsgslc.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\bahuseh
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\bahuseh:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\Windows\SysWOW64\kxbxjngj\lsjsgslc.exe (copy)
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\Microsoft\Network\Downloader\edb.log
MPEG-4 LOAS
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0xc201dff0, page size 16384, DirtyShutdown, Windows version 10.0
dropped
clean
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8F12.exe_5954467a3757758c9226aeac57e4d1149b531db8_0e3d6fb5_1baf2701\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_svchost.exe_5ebe40fcf0cd8542cf98bde16d68d7a8e1d4d4_5e857bb4_1afc6b13\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB918.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB3C.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC55.tmp.csv
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3E7.tmp.txt
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE13.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Jan 14 20:22:27 2022, 0x1205a4 type
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB33.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE144.tmp.csv
data
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE278.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE905.tmp.txt
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E09C.exe.log
ASCII text, with CRLF line terminators
dropped
clean
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
ASCII text, with no line terminators
dropped
clean
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220114_202138_670.etl
data
dropped
clean
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped
clean
There are 24 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\6zsU4O4WHq.exe
"C:\Users\user\Desktop\6zsU4O4WHq.exe"
malicious
C:\Users\user\Desktop\6zsU4O4WHq.exe
"C:\Users\user\Desktop\6zsU4O4WHq.exe"
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
malicious
C:\Windows\System32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
malicious