IOCReport

loading gif

Files

File Path
Type
Category
Malicious
E-Remittance Form_z.TXT.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\82139548\run.vbs
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\82139548\bsaecqbjx.docx
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\essmbjocut.ico
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\hqlxwejnc.exe
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\kvfbftnru.mp3
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\ledpu.cpl
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\mibt.ppt
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\ncplbfrqpr.txt
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\pojm.ini
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\pqbfmorxw.docx
ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\pvvrt.ini
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\rnjidsxil.mp3
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\rpgc.htg
data
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\rwvkj.jpg
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\sggjqlvp.ico
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\uummnexccu.ini
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\wdav.xml
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\82139548\wvjnbptk.exe
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\temp\pqbfmorxw.docx
ASCII text, with CRLF line terminators
dropped
clean
There are 11 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe
'C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe'
malicious
C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif
'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
malicious
C:\Windows\SysWOW64\wscript.exe
'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
malicious
C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif
'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
malicious
C:\Windows\SysWOW64\wscript.exe
'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
malicious
C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif
'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
malicious
C:\Windows\SysWOW64\wscript.exe
'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs'
malicious
C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif
'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
malicious

URLs

Name
IP
Malicious
https://a.pomf.cat/
unknown
malicious
http://pomf.cat/upload.php&https://a.pomf.cat/
unknown
malicious
http://pomf.cat/upload.php
unknown
malicious
http://pomf.cat/upload.phpCContent-Disposition:
unknown
malicious
http://secure.globalsign.net/cacert/PrimObject.crt0
unknown
clean
http://secure.globalsign.net/cacert/ObjectSign.crt09
unknown
clean
http://www.globalsign.net/repository09
unknown
clean
http://www.nirsoft.net/
unknown
clean
http://www.autoitscript.com/autoit3/0
unknown
clean
http://www.globalsign.net/repository/0
unknown
clean
http://bot.whatismyipaddress.com/
unknown
clean
http://www.globalsign.net/repository/03
unknown
clean
There are 2 hidden URLs, click here to show them.

Registry

Path
Value
Malicious
C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif
LangID
clean
C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif
C:\Windows\System32\WScript.exe.FriendlyAppName
clean
C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif
C:\Windows\System32\WScript.exe.ApplicationCompany
clean
C:\Windows\SysWOW64\wscript.exe
SlowContextMenuEntries
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
3234000
unkown
page read and write
malicious
982000
unkown
page execute and read and write
malicious
4A10000
unkown
page read and write
malicious
7D50000
unkown
page read and write
malicious
4A95000
unkown
page read and write
malicious
4692000
unkown
page read and write
clean
38E0000
unkown
page read and write
clean
2C29CB63000
unkown
page read and write
clean
33B9000
heap default
page read and write
clean