IOC Report
xcYJfxDKL0Sk.exe

loading gif

Files

File Path
Type
Category
Malicious
xcYJfxDKL0Sk.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json
JSON data
dropped
C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs
data
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\xcYJfxDKL0Sk.exe
C:\Users\user\Desktop\xcYJfxDKL0Sk.exe
malicious
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs"
malicious

URLs

Name
IP
Malicious
http://geoplugin.net/json.gp
178.237.33.50
malicious
0.tcp.sa.ngrok.io
malicious
http://geoplugin.net/json.gp/C
unknown
malicious
http://geoplugin.net/json.gpb
unknown
http://geoplugin.net/json.gp8
unknown
http://geoplugin.net/
unknown
http://geoplugin.net/json.gp5
unknown
http://geoplugin.net/X
unknown
http://geoplugin.net/json.gpl
unknown
http://geoplugin.net/json.gpSystem32
unknown

Domains

Name
IP
Malicious
0.tcp.sa.ngrok.io
54.94.248.37
malicious
geoplugin.net
178.237.33.50

IPs

IP
Domain
Country
Malicious
54.94.248.37
0.tcp.sa.ngrok.io
United States
malicious
178.237.33.50
geoplugin.net
Netherlands

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Rmc-7QVKVR
exepath
malicious
HKEY_CURRENT_USER\SOFTWARE\Rmc-7QVKVR
licence
malicious
HKEY_CURRENT_USER\SOFTWARE\Rmc-7QVKVR
time
malicious
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
LangID
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\System32\WScript.exe.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\System32\WScript.exe.ApplicationCompany

Memdumps

Base Address
Regiontype
Protect
Malicious
459000
unkown
page readonly
malicious
459000
unkown
page readonly
malicious
2E7E000
stack
page read and write
2BA7000
heap
page read and write
68B000
heap
page read and write
27FB000
stack
page read and write
22EF000
stack
page read and write
282E000
stack
page read and write
92F000
stack
page read and write
2BAA000
heap
page read and write
4DE000
stack
page read and write
2BC9000
heap
page read and write
400000
unkown
page readonly
2A30000
unclassified section
page readonly
2BD1000
heap
page read and write
2BF1000
heap
page read and write
6B7000
heap
page read and write
2BD1000
heap
page read and write
2DFE000
stack
page read and write
673000
heap
page read and write
6A1000
heap
page read and write
2B50000
heap
page read and write
2BE1000
heap
page read and write
2BF2000
heap
page read and write
48F0000
heap
page read and write
2BED000
heap
page read and write
2BEB000
heap
page read and write
6E6000
heap
page read and write
2BC1000
heap
page read and write
2680000
unclassified section
page readonly
2BD2000
heap
page read and write
2BD2000
heap
page read and write
490000
heap
page read and write
31C0000
heap
page read and write
2BE5000
heap
page read and write
332E000
stack
page read and write
2BBA000
heap
page read and write
21E0000
heap
page read and write
35CC000
stack
page read and write
2CBE000
stack
page read and write
690000
heap
page read and write
68B000
heap
page read and write
2F8A000
heap
page read and write
2BE2000
heap
page read and write
671000
heap
page read and write
2BE0000
heap
page read and write
2BC7000
heap
page read and write
20000
unclassified section
page readonly
51E000
stack
page read and write
2B88000
heap
page read and write
2BD4000
heap
page read and write
67A000
heap
page read and write
2BBD000
heap
page read and write
63E000
heap
page read and write