IOC Report
itVg5XA6eK.exe

loading gif

Files

File Path
Type
Category
Malicious
itVg5XA6eK.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\ProgramData\rejdit_free_fire.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\itVg5XA6eK.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\869b16e2825dce24066aba38ee1a9add.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rejdit_free_fire.exe.log
ASCII text, with CRLF line terminators
dropped
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\itVg5XA6eK.exe
C:\Users\user\Desktop\itVg5XA6eK.exe
malicious
C:\ProgramData\rejdit_free_fire.exe
"C:\ProgramData\rejdit_free_fire.exe"
malicious
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\ProgramData\rejdit_free_fire.exe" "rejdit_free_fire.exe" ENABLE
malicious
C:\ProgramData\rejdit_free_fire.exe
"C:\ProgramData\rejdit_free_fire.exe" ..
malicious
C:\ProgramData\rejdit_free_fire.exe
"C:\ProgramData\rejdit_free_fire.exe" ..
malicious
C:\ProgramData\rejdit_free_fire.exe
"C:\ProgramData\rejdit_free_fire.exe" ..
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name
IP
Malicious
h43vipforyou.ddns.net
malicious

Domains

Name
IP
Malicious
h43vipforyou.ddns.net
41.109.68.239
malicious

IPs

IP
Domain
Country
Malicious
41.109.68.239
h43vipforyou.ddns.net
Algeria
malicious

Registry

Path
Value
Malicious
HKEY_CURRENT_USER
di
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
869b16e2825dce24066aba38ee1a9add
malicious
HKEY_CURRENT_USER\Environment
SEE_MASK_NOZONECHECKS
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
869b16e2825dce24066aba38ee1a9add
HKEY_CURRENT_USER\Software\869b16e2825dce24066aba38ee1a9add
[kl]

Memdumps

Base Address
Regiontype
Protect
Malicious
3AB4000
trusted library allocation
page read and write
malicious
2965000
trusted library allocation
page read and write
malicious
442000
unkown
page readonly
malicious
21448FC7000
heap
page read and write
6DA000
trusted library allocation
page execute and read and write
21449030000
heap
page read and write
E89000
heap
page read and write
56FE000
stack
page read and write
2B2C9E78000
heap
page read and write
EFA000
heap
page read and write
3351000
trusted library allocation
page read and write
A58000
heap
page read and write
DE4000
heap
page read and write
94FB2FD000
stack
page read and write
1C3ED502000
heap
page read and write
10CB000
trusted library allocation
page execute and read and write
E6B000
heap
page read and write
E9D000
heap
page read and write
12BA4A50000
heap
page read and write
960000
unkown
page readonly
12BA5402000
trusted library allocation
page read and write
533A000
trusted library allocation
page read and write
572F000
stack
page read and write
DE4000
heap
page read and write
21448613000
heap
page read and write
DF0000
trusted library allocation
page read and write
E55000
heap
page read and write
6BDC69B000
stack
page read and write
1FD23C4E000
heap
page read and write
F4D000
heap
page read and write
533E000
trusted library allocation
page read and write
266CF500000
heap
page read and write
6BDCE7E000
stack
page read and write
1D84B302000
heap
page read and write
DF8000
heap
page read and write
E94000
heap
page read and write
530F000
trusted library allocation
page read and write
4A0000
heap
page read and write
97E000
stack
page read and write
970000
unkown
page readonly
E93000
heap
page read and write
5309000
trusted library allocation
page read and write
3961000
trusted library allocation
page read and write
5316000
trusted library allocation
page read and write
1C3ED42A000
heap
page read and write
EB5000
heap
page read and write
24B0000
heap
page execute and read and write
A0E000
stack
page read and write
4A80000
trusted library allocation
page execute and read and write