IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\LocalLow\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\LocalLow\mozglue.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\LocalLow\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\LocalLow\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\LocalLow\sqlite3.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\253.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\959.exe
PE32 executable (console) Intel 80386, for MS Windows
modified
malicious
C:\Users\user\AppData\Local\Temp\FED8.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\sfrvjvv
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\sfrvjvv:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\LocalLow\22wTvv5mR62E
SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
dropped
C:\Users\user\AppData\LocalLow\GOpRcXXjoWmm
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
dropped
C:\Users\user\AppData\LocalLow\Zsrw9A4N7Zio
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
dropped
C:\Users\user\AppData\LocalLow\msvcp140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\LocalLow\rE5287BD83io
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
dropped
C:\Users\user\AppData\LocalLow\vcruntime140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\LocalLow\zpW7O7U8iJFQ
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
dropped
C:\Users\user\AppData\Local\Temp\144C.tmp
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
dropped
C:\Users\user\AppData\Local\Temp\5A6F.tmp
SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
dropped
C:\Users\user\AppData\Local\Temp\64FF.tmp
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
modified
C:\Users\user\AppData\Roaming\wjsucgc
data
dropped
\Device\ConDrv
ASCII text, with no line terminators
dropped
There are 13 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
C:\Users\user\Desktop\file.exe
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Users\user\AppData\Roaming\sfrvjvv
C:\Users\user\AppData\Roaming\sfrvjvv
malicious
C:\Users\user\AppData\Local\Temp\253.exe
C:\Users\user~1\AppData\Local\Temp\253.exe
malicious
C:\Users\user\AppData\Local\Temp\959.exe
C:\Users\user~1\AppData\Local\Temp\959.exe
malicious
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
malicious
C:\Users\user\AppData\Local\Temp\253.exe
C:\Users\user~1\AppData\Local\Temp\253.exe
malicious
C:\Windows\explorer.exe
C:\Windows\explorer.exe
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
malicious
C:\Windows\System32\regsvr32.exe
regsvr32 /s C:\Users\user~1\AppData\Local\Temp\FED8.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\user~1\AppData\Local\Temp\FED8.dll
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
There are 2 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://hulimudulinu.net/
malicious
http://stalnnuytyt.org/
malicious
http://193.38.55.180/
193.38.55.180
malicious
http://starvestitibo.org/
malicious
http://193.38.55.180/981c0ceb6cf45499fb5c43ee25c05c17
193.38.55.180
malicious
http://nuluitnulo.me/
malicious
http://winnlinne.com/lancer/get.php
malicious
http://bururutu44org.org/
malicious
http://nvulukuluir.net/
malicious
http://liubertiyyyul.net/
malicious
http://furubujjul.net/
104.21.93.30
malicious
http://youyouumenia5.org/
malicious