IOC Report
af5Cop6pCN.exe

loading gif

Files

File Path
Type
Category
Malicious
af5Cop6pCN.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\af5Cop6pCN.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Roaming\svchost.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 61745 bytes, 1 file
dropped
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
modified
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat
DOS batch file, ASCII text, with CRLF line terminators
dropped
\Device\Null
ASCII text, with CRLF line terminators, with overstriking
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\af5Cop6pCN.exe
"C:\Users\user\Desktop\af5Cop6pCN.exe"
malicious
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
malicious
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
malicious
C:\Windows\System32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
malicious
C:\Users\user\AppData\Roaming\svchost.exe
C:\Users\user\AppData\Roaming\svchost.exe
malicious
C:\Users\user\AppData\Roaming\svchost.exe
"C:\Users\user\AppData\Roaming\svchost.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\timeout.exe
timeout 3

URLs

Name
IP
Malicious
<!Cv
malicious
https://pastebin.com/raw/pffCggZp
104.20.67.143
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
http://pastebin.com
unknown
https://pastebin.com
unknown
https://pastebin.com8
unknown

Domains

Name
IP
Malicious
termsiya.duckdns.org
3.72.110.63
malicious
pastebin.com
104.20.67.143
windowsupdatebg.s.llnwi.net
95.140.230.192

IPs

IP
Domain
Country
Malicious
3.72.110.63
termsiya.duckdns.org
United States
malicious
104.20.67.143
pastebin.com
United States

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum 64-bit
Version

Memdumps

Base Address
Regiontype
Protect
Malicious
3226000
trusted library allocation
page read and write
malicious
3418000
trusted library allocation
page read and write
malicious
1BA20000
heap
page read and write
14B7DFF000
stack
page read and write
3188000
trusted library allocation
page read and write
ED8807B000
stack
page read and write
1C33E000
stack
page read and write
20E3C888000
heap
page read and write
1B8E6000
trusted library allocation
page read and write
1BE10000
trusted library allocation
page read and write
2D80000
trusted library allocation
page read and write
1B7D0000
trusted library allocation
page read and write
1BFA0000
trusted library allocation
page read and write
DD0000
trusted library allocation
page read and write
315B000
trusted library allocation
page read and write
1AC02794000
heap
page read and write
1550000
trusted library allocation
page read and write
14E0000
heap
page execute and read and write
1294000
trusted library allocation
page read and write
28EECD70000
trusted library allocation
page read and write
1BE10000
trusted library allocation
page read and write
6DB7EFE000
stack
page read and write
1B9D0000
trusted library allocation
page read and write
2AE7DFC000
stack
page read and write
1B86E670000
heap
page read and write
1AC02C03000
heap
page read and write
30A0000
trusted library allocation
page read and write
1C010000
heap
page read and write
28EEC1C0000
trusted library allocation
page read and write
28EECD10000
trusted library allocation
page read and write
1B760000
trusted library allocation
page read and write
1BA80000
trusted library allocation
page read and write
1BF90000
trusted library allocation
page read and write