IOC Report

loading gif

Files

File Path
Type
Category
Malicious
Justificante de Pago 25112021.pdf _.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe
"C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
https://eruweq.bl.files.1drv.com/=
unknown
clean
https://onedrive.live.com/download?c
clean
http://x9bGZRuBZN1f4.com
unknown
clean
http://127.0.0.1:HTTP/1.1
unknown
clean
http://smtp.rpxholding.com
unknown
clean
http://DynDns.comDynDNS
unknown
clean
https://eruweq.bl.files.1drv.com/y
unknown
clean
https://eruweq.bl.files.1drv.com/y4mTi8F-5UT5v8gCCgHyyTjEWDMrhmEHc1_AIKHcGNjnR2bGYZ0rh8uS1SgrfpYq_k9
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
unknown
clean
http://rOTpQz.com
unknown
clean
https://api.ipify.org%4
unknown
clean
https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21121&authkey=APJj8W7
unknown
clean
https://support.google.com/chrome/?p=plugin_flash
unknown
clean
https://api.ipify.org%GETMozilla/5.0
unknown
clean
https://eruweq.bl.files.1drv.com/y4mWNDnZaG2b1DpDDUBUp81suowzh6ionkEHYNmviteBVtV4mchwDB8E2o0H7JDLVEW
unknown
clean
http://x9bGZRuBZN1f4.comT
unknown
clean
https://eruweq.bl.files.1drv.com/
unknown
clean
http://mails.rpxholding.com
unknown
clean
http://x9bGZRuBZN1f4.comt-~l
unknown
clean
https://onedrive.live.com/
unknown
clean
There are 10 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
mails.rpxholding.com
202.158.48.236
malicious
smtp.rpxholding.com
unknown
malicious
onedrive.live.com
unknown
clean
eruweq.bl.files.1drv.com
unknown
clean

IPs

IP
Domain
Country
Malicious
202.158.48.236
mails.rpxholding.com
Indonesia
malicious

Memdumps

Base Address
Regiontype
Protect
Malicious
1DC71000
unkown
page read and write
malicious
B40000
unkown
page execute and read and write
malicious
20230000
unkown
page read and write
clean
F60000
stack
page read and write
clean
F41000
stack
page read and write
clean
1DC20000
unkown
page read and write
clean
B31000
unkown
page read and write
clean
1CA61000
unkown
page read and write
clean
D7B000
heap default
page read and write
clean
225824B0000
unkown image
page readonly
clean
400000
unkown image
page readonly
clean
F41000
stack
page read and write
clean
1CA61000
unkown
page read and write
clean
56A000
unkown
page read and write
clean
1CA61000
unkown
page read and write
clean
1CA61000
unkown
page read and write
clean
56A000
unkown
page read and write
clean
56A000
unkown
page read and write
clean
1CA61000
unkown
page read and write
clean
1CA61000
unkown
page read and write
clean
F40000
stack
page read and write
clean
F40000
stack
page read and write
clean
F40000
stack
page read and write
clean
F50000
stack
page read and write
clean
F40000
stack
page read and write
clean
1DC20000
unkown
page read and write
clean
22582702000
unkown
page read and write
clean
F40000
stack
page read and write
clean
1CA61000
unkown
page read and write
clean
1CA61000
unkown
page read and write
clean
A50000
unkown
page read and write
clean
FA0000
stack
page read and write
clean
1CA61000
unkown
page read and write
clean
F50000
stack
page read and write
clean
1CA61000
unkown
page read and write
clean
F40000
stack
page read and write
clean
1CA61000
unkown
page read and write
clean
1DC20000
unkown
page read and write
clean
56A000
unkown
page read and write
clean
1CA61000
unkown
page read and write
clean
1D8AF000
stack
page read and write
clean
A51000
unkown
page read and write
clean