IOCReport

loading gif

Files

File Path
Type
Category
Malicious
dNeoJAgJU5.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dNeoJAgJU5.exe.log
ASCII text, with CRLF line terminators
modified
malicious
C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\dNeoJAgJU5.exe
'C:\Users\user\Desktop\dNeoJAgJU5.exe'
malicious
C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
malicious
C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe
malicious
C:\Windows\explorer.exe
malicious
C:\Windows\SysWOW64\msdt.exe
C:\Windows\SysWOW64\msdt.exe
malicious
C:\Windows\SysWOW64\cmd.exe
/c del 'C:\Users\user\AppData\Local\Temp\dNeoJAgJU5.exe'
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
www.bucksnortneola.com/gw2/
malicious
http://www.apache.org/licenses/LICENSE-2.0
unknown
clean
http://www.fontbureau.com
unknown
clean
http://www.fontbureau.com/designersG
unknown
clean
http://www.fontbureau.com/designers/?
unknown
clean
http://www.founder.com.cn/cn/bThe
unknown
clean
http://ocsp.sectigo.com0
unknown
clean
http://www.fontbureau.com/designers?
unknown
clean
http://www.tiro.com
unknown
clean
http://www.fontbureau.com/designers
unknown
clean
http://www.goodfont.co.kr
unknown
clean
https://sectigo.com/CPS0U
unknown
clean
http://www.carterandcone.coml
unknown
clean
http://www.sajatypeworks.com
unknown
clean
http://www.typography.netD
unknown
clean
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
unknown
clean
http://www.fontbureau.com/designers/cabarga.htmlN
unknown
clean
http://www.founder.com.cn/cn/cThe
unknown
clean
http://www.galapagosdesign.com/staff/dennis.htm
unknown
clean
http://fontfabrik.com
unknown
clean
http://www.founder.com.cn/cn
unknown
clean
http://www.fontbureau.com/designers/frere-user.html
unknown
clean
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
unknown
clean
http://www.jiyu-kobo.co.jp/
unknown
clean
https://sectigo.com/CPS0D
unknown
clean
http://www.galapagosdesign.com/DPlease
unknown
clean
http://www.fontbureau.com/designers8
unknown
clean
https://secure.comodo.com/CPS0L
unknown
clean
http://www.%s.comPA
unknown
clean
http://www.fonts.com
unknown
clean
http://www.sandoll.co.kr
unknown
clean
http://www.urwpp.deDPlease
unknown
clean
http://www.zhongyicts.com.cn
unknown
clean
http://www.sakkal.com
unknown
clean
http://us1.unwiredlabs.com/v2/process.php
unknown
clean
http://us1.unwiredlabs.com/v2/process.php?application/json;
unknown
clean
There are 26 hidden URLs, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
36B5000
unkown
page read and write
malicious
52000
unkown image
page readonly
malicious
3546000
unkown
page read and write
malicious
EA0000
unkown
page execute and read and write
malicious
4E2000
unkown image
page readonly
malicious
372000
unkown image
page readonly
malicious
EF0000
unkown
page execute and read and write
malicious
4E2000
unkown image
page readonly
malicious
52000
unkown image
page readonly
malicious
23F1000
unkown
page read and write
malicious
4E2000
unkown image
page readonly
malicious
400000
unkown
page execute and read and write
malicious
4C80000
unkown
page execute and read and write
malicious
361B000
unkown
page read and write
malicious
4BF6000
unkown
page read and write
malicious
400000
unkown
page execute and read and write
malicious
556F000
unkown
page read and write
malicious