Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
RemComSvc.exe.exe
|
PE32 executable (console) Intel 80386, for MS Windows
|
initial sample
|
||
|
C:\servicereg.log
|
ASCII text, with CRLF line terminators
|
modified
|
 |
|
|
C:\servicestart.log
|
ASCII text, with CRLF line terminators
|
modified
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\SysWOW64\cmd.exe
|
cmd /c sc create BMnpO binpath= "C:\Users\user\Desktop\RemComSvc.exe.exe" >> C:\servicereg.log 2>&1
|
|
|
|
C:\Windows\SysWOW64\sc.exe
|
sc create BMnpO binpath= "C:\Users\user\Desktop\RemComSvc.exe.exe"
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
cmd /c sc start BMnpO >> C:\servicestart.log 2>&1
|
|
|
|
C:\Windows\SysWOW64\sc.exe
|
sc start BMnpO
|
|
|
|
C:\Users\user\Desktop\RemComSvc.exe.exe
|
C:\Users\user\Desktop\RemComSvc.exe.exe
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
|
unknown
|
||
|
http://crl.thawte.com/ThawteTimestampingCA.crl0
|
unknown
|
||
|
http://ocsp.sectigo.com0
|
unknown
|
||
|
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
|
unknown
|
||
|
http://ocsp.thawte.com0
|
unknown
|
||
|
https://sectigo.com/CPS0C
|
unknown
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
132E000
|
stack
|
page read and write
|
||
|
3D9000
|
unkown
|
page write copy
|
||
|
2E3E000
|
stack
|
page read and write
|
||
|
1660000
|
heap
|
page read and write
|
||
|
2DD0000
|
heap
|
page read and write
|
||
|
3D2000
|
unkown
|
page readonly
|
||
|
18AE000
|
stack
|
page read and write
|
||
|
2D40000
|
heap
|
page read and write
|
||
|
1AEF000
|
stack
|
page read and write
|
||
|
2BC0000
|
heap
|
page read and write
|
||
|
2E7F000
|
stack
|
page read and write
|
||
|
3C1000
|
unkown
|
page execute read
|
||
|
3C0000
|
unkown
|
page readonly
|
||
|
32C0000
|
heap
|
page read and write
|
||
|
2DCF000
|
stack
|
page read and write
|
||
|
1370000
|
heap
|
page read and write
|
||
|
30FF000
|
stack
|
page read and write
|
||
|
2B90000
|
heap
|
page read and write
|
||
|
30BE000
|
stack
|
page read and write
|
||
|
3020000
|
heap
|
page read and write
|
||
|
2D10000
|
heap
|
page read and write
|
||
|
2DD8000
|
heap
|
page read and write
|
||
|
3D2000
|
unkown
|
page readonly
|
||
|
3DB000
|
unkown
|
page readonly
|
||
|
14F7000
|
heap
|
page read and write
|
||
|
2B80000
|
heap
|
page read and write
|
||
|
3D9000
|
unkown
|
page read and write
|
||
|
2EB7000
|
heap
|
page read and write
|
||
|
14F0000
|
heap
|
page read and write
|
||
|
2FDE000
|
stack
|
page read and write
|
||
|
3DB000
|
unkown
|
page readonly
|
||
|
FAD000
|
stack
|
page read and write
|
||
|
1210000
|
heap
|
page read and write
|
||
|
3140000
|
heap
|
page read and write
|
||
|
147F000
|
stack
|
page read and write
|
||
|
301F000
|
stack
|
page read and write
|
||
|
2EB0000
|
heap
|
page read and write
|
||
|
19AE000
|
stack
|
page read and write
|
||
|
EAD000
|
stack
|
page read and write
|
||
|
1330000
|
heap
|
page read and write
|
||
|
2B1E000
|
stack
|
page read and write
|
||
|
19EE000
|
stack
|
page read and write
|
||
|
2D8E000
|
stack
|
page read and write
|
||
|
3C1000
|
unkown
|
page execute read
|
||
|
2C8D000
|
stack
|
page read and write
|
||
|
2ADD000
|
stack
|
page read and write
|
||
|
3C0000
|
unkown
|
page readonly
|
||
|
2CCD000
|
stack
|
page read and write
|
There are 38 hidden memdumps, click here to show them.