IOCReport

loading gif

Files

File Path
Type
Category
Malicious
4AtUJN8Hdu.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Roaming\win.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\win.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\install.vbs
data
modified
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\4AtUJN8Hdu.exe
'C:\Users\user\Desktop\4AtUJN8Hdu.exe'
malicious
C:\Users\user\Desktop\4AtUJN8Hdu.exe
'C:\Users\user\Desktop\4AtUJN8Hdu.exe'
malicious
C:\Users\user\AppData\Roaming\win.exe
C:\Users\user\AppData\Roaming\win.exe
malicious
C:\Users\user\AppData\Roaming\win.exe
'C:\Users\user\AppData\Roaming\win.exe'
malicious
C:\Users\user\AppData\Roaming\win.exe
'C:\Users\user\AppData\Roaming\win.exe'
malicious
C:\Windows\SysWOW64\wscript.exe
'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
clean
C:\Windows\SysWOW64\cmd.exe
'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
103.150.60.242
malicious

Domains

Name
IP
Malicious
mtspsmjeli.sch.id
103.150.60.242
malicious

IPs

IP
Domain
Country
Active
Malicious
103.150.60.242
unknown
unknown
unknown
malicious

Registry

Path
Value
Malicious
C:\Users\user\Desktop\4AtUJN8Hdu.exe
win
clean
C:\Users\user\Desktop\4AtUJN8Hdu.exe
LangID
clean
C:\Users\user\Desktop\4AtUJN8Hdu.exe
C:\Windows\System32\WScript.exe.FriendlyAppName
clean
C:\Users\user\Desktop\4AtUJN8Hdu.exe
C:\Windows\System32\WScript.exe.ApplicationCompany
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
2C216068000
unkown
page read and write
clean
7AE000
unkown
page read and write
clean
7FF530054000
unkown
page readonly
clean
7FF564343000
unkown
page readonly
clean
400000
unkown image
page readonly
clean
29C0000
heap private
page read and write
clean
7FF564032000
unkown
page readonly
clean
1E5BC84A000
unkown
page read and write
clean
7FF50566D000
unkown
page readonly
clean
26D22300000
unkown
page read and write
clean
1E5BD172000
unkown
page read and write
clean
1E5BD14B000
unkown
page read and write
clean
49D5000
unkown
page read and write
clean
2C219310000
unkown
page read and write
clean
207E0F90000
unkown
page readonly
clean
1E5BD602000
unkown
page read and write
clean
2C219110000
unkown
page read and write
clean
BFD5CFF000
unkown
page read and write
clean
3EA000
unkown
page read and write
clean
7FF564990000
unkown
page readonly
clean
1E5BD159000
unkown
page read and write
clean
7FF56C625000
unkown
page readonly
clean
4FCF000
stack
page read and write
clean
7FF5105B3000
unkown
page readonly
clean
1E5BC800000
unkown
page read and write
clean
418000
unkown image
page readonly
clean
2C218502000
unkown
page read and write
clean
1A9B9F02000
unkown
page read and write
clean
7FF58299B000
unkown
page readonly
clean
7FF50535C000
unkown
page readonly
clean
7FF53E97F000
unkown
page readonly
clean
7FF5621DD000
unkown
page readonly
clean
1E5BD14B000
unkown
page read and write
clean
2320AD60000
unkown
page readonly
clean
26149450000
unkown
page readonly
clean
1E5BC7D0000
unkown
page readonly
clean
2C21A110000
unkown
page read and write
clean
7FF56497F000
unkown
page readonly
clean
2C21812E000
unkown
page read and write
clean
49C0000
unkown
page read and write
clean
7FF5A0100000
unkown
page readonly
clean
7FF5C9EC8000
unkown
page readonly
clean
78E000
heap default
page read and write
clean
1E5BD14B000
unkown
page read and write
clean