Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Shipping documents PO 16103 INV.exe
|
PE32+ executable (GUI) x86-64, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\remcos\logs.dat
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json
|
JSON data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\bhvC750.tmp
|
Extensible storage user DataBase, version 0x620, checksum 0x3b6fe592, page size 32768, DirtyShutdown, Windows version 10.0
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\vunykblr
|
Unicode text, UTF-16, little-endian text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\Shipping documents PO 16103 INV.exe
|
"C:\Users\user\Desktop\Shipping documents PO 16103 INV.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\vunykblr"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\hqgjmdgmcefhebf"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
178.23.190.118
|
|
||
|
http://geoplugin.net/json.gp$
|
unknown
|
||
|
https://www.office.com/
|
unknown
|
||
|
http://www.imvu.comr
|
unknown
|
||
|
https://aefd.nelreports.net/api/report?cat=bingth
|
unknown
|
||
|
https://aka.ms/nativeaot-c
|
unknown
|
||
|
https://login.li
|
unknown
|
||
|
https://aka.ms/nativeaot-compatibilityy
|
unknown
|
||
|
http://www.imvu.com
|
unknown
|
||
|
https://aefd.nelreports.net/api/report?cat=wsb
|
unknown
|
||
|
http://www.nirsoft.net
|
unknown
|
||
|
https://aefd.nelreports.net/api/report?cat=bingaotak
|
unknown
|
||
|
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
|
unknown
|
||
|
https://deff.nelreports.net/api/report?cat=msn
|
unknown
|
||
|
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
|
unknown
|
||
|
http://geoplugin.net/json.gp
|
178.237.33.50
|
||
|
https://www.google.com
|
unknown
|
||
|
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
|
unknown
|
||
|
https://aefd.nelreports.net/api/report?cat=bingaot
|
unknown
|
||
|
http://geoplugin.net/json.gp/C
|
unknown
|
||
|
https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
|
unknown
|
||
|
https://aka.ms/nativeaot-compatibility
|
unknown
|
||
|
https://aka.ms/nativeaot-compatibilityY
|
unknown
|
||
|
https://aka.ms/nativeaot-compatibilityX
|
unknown
|
||
|
https://aefd.nelreports.net/api/report?cat=bingrms
|
unknown
|
||
|
https://www.google.com/accounts/servicelogin
|
unknown
|
||
|
https://aka.ms/GlobalizationInvariantMode
|
unknown
|
||
|
https://login.yahoo.com/config/login
|
unknown
|
||
|
http://www.nirsoft.net/
|
unknown
|
||
|
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
|
unknown
|
||
|
http://www.ebuddy.com
|
unknown
|
There are 21 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
bg.microsoft.map.fastly.net
|
199.232.210.172
|
||
|
geoplugin.net
|
178.237.33.50
|
||
|
fp2e7a.wpc.phicdn.net
|
192.229.221.95
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
178.23.190.118
|
unknown
|
unknown
|
|
|
|
178.237.33.50
|
geoplugin.net
|
Netherlands
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\SOFTWARE\Rmc-SJ9MVF
|
exepath
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Rmc-SJ9MVF
|
licence
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Rmc-SJ9MVF
|
time
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1077000
|
heap
|
page read and write
|
|
|
|
400000
|
remote allocation
|
page execute and read and write
|
|
|
|
21724562000
|
direct allocation
|
page read and write
|
|
|
|
10C2000
|
heap
|
page read and write
|
|
|
|
2DDE000
|
stack
|
page read and write
|
|
|
|
2F68000
|
heap
|
page read and write
|
||
|
7FF694AC7000
|
unkown
|
page read and write
|
||
|
2171EF65000
|
heap
|
page read and write
|
||
|
B64000
|
stack
|
page read and write
|
||
|
FBE000
|
stack
|
page read and write
|
||
|
7FF694860000
|
unkown
|
page readonly
|
||
|
2171F01E000
|
heap
|
page read and write
|
||
|
2F30000
|
heap
|
page read and write
|
||
|
86F33FF000
|
stack
|
page read and write
|
||
|
134E000
|
stack
|
page read and write
|
||
|
3EC0000
|
heap
|
page read and write
|
||
|
7FF694ACF000
|
unkown
|
page readonly
|
||
|
7FF694ACC000
|
unkown
|
page read and write
|
||
|
400000
|
system
|
page execute and read and write
|
||
|
13C0000
|
heap
|
page read and write
|
||
|
7FF69499B000
|
unkown
|
page read and write
|
||
|
C7C000
|
stack
|
page read and write
|
||
|
3FC0000
|
heap
|
page read and write
|
||
|
BE0000
|
heap
|
page read and write
|
||
|
10E0000
|
heap
|
page read and write
|
||
|
1038000
|
heap
|
page read and write
|
||
|
D88000
|
heap
|
page read and write
|
||
|
E2E000
|
stack
|
page read and write
|
||
|
F3A000
|
stack
|
page read and write
|
||
|
D70000
|
heap
|
page read and write
|
||
|
12E0000
|
heap
|
page read and write
|
||
|
86F2FD9000
|
stack
|
page read and write
|
||
|
86F34FE000
|
stack
|
page read and write
|
||
|
D7B000
|
stack
|
page read and write
|
||
|
2171EFC6000
|
heap
|
page read and write
|
||
|
478000
|
remote allocation
|
page execute and read and write
|
||
|
1070000
|
heap
|
page read and write
|
||
|
F3C000
|
stack
|
page read and write
|
||
|
21726600000
|
direct allocation
|
page read and write
|
||
|
45D000
|
system
|
page execute and read and write
|
||
|
21725C00000
|
direct allocation
|
page read and write
|
||
|
86F32FF000
|
stack
|
page read and write
|
||
|
2CD0000
|
heap
|
page read and write
|
||
|
2171EF60000
|
heap
|
page read and write
|
||
|
2171EFCC000
|
heap
|
page read and write
|
||
|
1000000
|
heap
|
page read and write
|
||
|
2171EE30000
|
heap
|
page read and write
|
||
|
FE0000
|
heap
|
page read and write
|
||
|
7FF694AC0000
|
unkown
|
page read and write
|
||
|
7FF694ACF000
|
unkown
|
page readonly
|
||
|
325F000
|
stack
|
page read and write
|
||
|
10D3000
|
heap
|
page read and write
|
||
|
2171EFC0000
|
heap
|
page read and write
|
||
|
10F5000
|
heap
|
page read and write
|
||
|
2171F021000
|
heap
|
page read and write
|
||
|
2573488F000
|
direct allocation
|
page read and write
|
||
|
1030000
|
heap
|
page read and write
|
||
|
A6C000
|
stack
|
page read and write
|
||
|
21720C00000
|
direct allocation
|
page read and write
|
||
|
400000
|
system
|
page execute and read and write
|
||
|
143F000
|
stack
|
page read and write
|
||
|
2F51000
|
heap
|
page read and write
|
||
|
10EB000
|
heap
|
page read and write
|
||
|
104E000
|
heap
|
page read and write
|
||
|
107F000
|
stack
|
page read and write
|
||
|
2171EF30000
|
heap
|
page read and write
|
||
|
21722C00000
|
direct allocation
|
page read and write
|
||
|
1420000
|
heap
|
page read and write
|
||
|
E3C000
|
stack
|
page read and write
|
||
|
B5F000
|
stack
|
page read and write
|
||
|
FDE000
|
stack
|
page read and write
|
||
|
7FF694AC0000
|
unkown
|
page write copy
|
||
|
D40000
|
heap
|
page read and write
|
||
|
D3E000
|
stack
|
page read and write
|
||
|
473000
|
system
|
page execute and read and write
|
||
|
86F35FE000
|
stack
|
page read and write
|
||
|
1240000
|
heap
|
page read and write
|
||
|
2C5C000
|
stack
|
page read and write
|
||
|
D80000
|
heap
|
page read and write
|
||
|
474000
|
remote allocation
|
page execute and read and write
|
||
|
45C000
|
system
|
page execute and read and write
|
||
|
2C1E000
|
stack
|
page read and write
|
||
|
2F4E000
|
heap
|
page read and write
|
||
|
10001000
|
direct allocation
|
page execute and read and write
|
||
|
2F3B000
|
heap
|
page read and write
|
||
|
130F000
|
stack
|
page read and write
|
||
|
7FF694860000
|
unkown
|
page readonly
|
||
|
459000
|
system
|
page execute and read and write
|
||
|
257B547E000
|
heap
|
page read and write
|
||
|
101D000
|
heap
|
page read and write
|
||
|
E3C000
|
stack
|
page read and write
|
||
|
3110000
|
heap
|
page read and write
|
||
|
7FF6949FB000
|
unkown
|
page readonly
|
||
|
F7D000
|
stack
|
page read and write
|
||
|
F6E000
|
stack
|
page read and write
|
||
|
1170000
|
heap
|
page read and write
|
||
|
DE0000
|
heap
|
page read and write
|
||
|
10B1000
|
heap
|
page read and write
|
||
|
2A18000
|
heap
|
page read and write
|
||
|
CFE000
|
stack
|
page read and write
|
||
|
2F3F000
|
heap
|
page read and write
|
||
|
2171EF80000
|
direct allocation
|
page read and write
|
||
|
456000
|
system
|
page execute and read and write
|
||
|
2EDF000
|
stack
|
page read and write
|
||
|
1250000
|
heap
|
page read and write
|
||
|
311F000
|
stack
|
page read and write
|
||
|
B46000
|
stack
|
page read and write
|
||
|
7FF694861000
|
unkown
|
page execute read
|
||
|
2171EF10000
|
heap
|
page read and write
|
||
|
1130000
|
heap
|
page read and write
|
||
|
BD0000
|
heap
|
page read and write
|
||
|
315E000
|
stack
|
page read and write
|
||
|
293E000
|
heap
|
page read and write
|
||
|
3D2F000
|
stack
|
page read and write
|
||
|
E30000
|
heap
|
page read and write
|
||
|
D9D000
|
heap
|
page read and write
|
||
|
10FA000
|
heap
|
page read and write
|
||
|
E50000
|
heap
|
page read and write
|
||
|
BE5000
|
heap
|
page read and write
|
||
|
21724200000
|
direct allocation
|
page read and write
|
||
|
10016000
|
direct allocation
|
page execute and read and write
|
||
|
1020000
|
heap
|
page read and write
|
||
|
41B000
|
system
|
page execute and read and write
|
||
|
B62000
|
stack
|
page read and write
|
||
|
FF0000
|
heap
|
page read and write
|
||
|
1040000
|
heap
|
page read and write
|
||
|
2FDF000
|
stack
|
page read and write
|
||
|
301D000
|
stack
|
page read and write
|
||
|
10000000
|
direct allocation
|
page read and write
|
||
|
2DCF000
|
stack
|
page read and write
|
||
|
2171EF70000
|
direct allocation
|
page read and write
|
||
|
2C9C000
|
stack
|
page read and write
|
||
|
B4B000
|
stack
|
page read and write
|
||
|
FC0000
|
heap
|
page read and write
|
||
|
21723800000
|
direct allocation
|
page read and write
|
||
|
117E000
|
heap
|
page read and write
|
||
|
1045000
|
heap
|
page read and write
|
||
|
257B5390000
|
heap
|
page read and write
|
||
|
415B000
|
heap
|
page read and write
|
||
|
F90000
|
heap
|
page read and write
|
||
|
7FF694861000
|
unkown
|
page execute read
|
||
|
2B8F000
|
stack
|
page read and write
|
||
|
7FF6949FB000
|
unkown
|
page readonly
|
||
|
11FF000
|
stack
|
page read and write
|
||
|
2920000
|
heap
|
page read and write
|
||
|
10DC000
|
heap
|
page read and write
|
||
|
21727000000
|
direct allocation
|
page read and write
|
||
|
257B5458000
|
heap
|
page read and write
|
||
|
10E6000
|
heap
|
page read and write
|
||
|
F70000
|
heap
|
page read and write
|
||
|
1008000
|
heap
|
page read and write
|
||
|
3C2E000
|
stack
|
page read and write
|
||
|
2E30000
|
heap
|
page read and write
|
||
|
400000
|
system
|
page execute and read and write
|
There are 144 hidden memdumps, click here to show them.