IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\B87E.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\EBC4.exe
PE32 executable (GUI) Intel 80386, for MS Windows
modified
malicious
C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\gfgsrbs
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\gfgsrbs:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
C:\Users\user\Desktop\file.exe
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Users\user\AppData\Roaming\gfgsrbs
C:\Users\user\AppData\Roaming\gfgsrbs
malicious
C:\Users\user\AppData\Local\Temp\B87E.exe
C:\Users\user\AppData\Local\Temp\B87E.exe
malicious
C:\Users\user\AppData\Local\Temp\EBC4.exe
C:\Users\user\AppData\Local\Temp\EBC4.exe
malicious
C:\Users\user\AppData\Local\Temp\EBC4.exe
"C:\Users\user\AppData\Local\Temp\EBC4.exe"
malicious
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr

URLs

Name
IP
Malicious
http://piratia.su/tmp/
malicious
http://cracker.biz/tmp/
malicious
http://freeshmex.at/tmp/
190.140.74.43
malicious
http://123.253.32.170/root2.exe
123.253.32.170
malicious
https://thepokeway.nl/upload/index.php
5.135.247.111
http://piratia-life.ru/tmp/

Domains

Name
IP
Malicious
thepokeway.nl
5.135.247.111
malicious
freeshmex.at
190.140.74.43
malicious

IPs

IP
Domain
Country
Malicious
5.135.247.111
thepokeway.nl
France
malicious
123.253.32.170
unknown
Malaysia
malicious
190.140.74.43
freeshmex.at
Panama
malicious
178.31.176.42
unknown
Sweden
109.102.255.230
unknown
Romania
211.40.39.251
unknown
Korea Republic of
211.171.233.129
unknown
Korea Republic of
192.168.2.1
unknown
unknown
95.107.163.44
unknown
Albania
211.53.230.67
unknown
Korea Republic of

Memdumps

Base Address
Regiontype
Protect
Malicious
4631000
system
page execute read
malicious
7B0000
trusted library allocation
page read and write
malicious
413000
unkown
page execute and read and write
malicious
2270000
trusted library allocation
page read and write
malicious
2291000
unclassified section
page read and write
malicious
413000
unkown
page execute and read and write
malicious
22B1000
unclassified section
page read and write
malicious
7FF5DB9A8000
unkown
page readonly
4324000
unkown
page read and write
7FF5DBD9C000
unkown
page readonly
7FF5DBEF1000
unkown
page readonly
452C000
stack
page read and write
24D0000
heap
page read and write
AB69000
stack
page read and write
2800000
unkown
page readonly
7FF5DC11F000
unkown
page readonly
D12D000
unkown
page read and write
2927000
unkown
page read and write
64B0000
direct allocation
page read and write
46E000
unkown
page execute and read and write
7830000
unkown
page readonly
4BC0000
unkown
page readonly
25D0000
direct allocation
page execute and read and write
705E000
unkown
page readonly
4D5000
stack
page read and write
568B000
unkown
page read and write
441B000
stack
page read and write
2D00000
unkown
page readonly
7FF5DC119000
unkown
page readonly
83B9000
unkown
page read and write
7FF524EA4000
unkown
page readonly
E985000
unkown
page read and write