IOCReport

loading gif

Files

File Path
Type
Category
Malicious
ORDER TSA-A090621B.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER TSA-A090621B.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
data
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
data
dropped
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
data
modified
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
data
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\ORDER TSA-A090621B.exe
'C:\Users\user\Desktop\ORDER TSA-A090621B.exe'
malicious
C:\Users\user\Desktop\ORDER TSA-A090621B.exe
C:\Users\user\Desktop\ORDER TSA-A090621B.exe
malicious
C:\Users\user\Desktop\ORDER TSA-A090621B.exe
C:\Users\user\Desktop\ORDER TSA-A090621B.exe
malicious
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
malicious
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
malicious

URLs

Name
IP
Malicious
dedicatedlambo9.ddns.net
malicious
185.140.53.253
malicious
http://www.fontbureau.com
unknown
clean
http://www.galapagosdesign.com/
unknown
clean
http://www.fontbureau.comdr
unknown
clean
http://www.jiyu-kobo.co.jp/V
unknown
clean
http://www.tiro.comn
unknown
clean
http://www.founder.com.cn/cnU
unknown
clean
http://www.fontbureau.comueTF
unknown
clean
http://www.jiyu-kobo.co.jp/jp/M
unknown
clean
http://www.founder.com.cn/cnA
unknown
clean
http://www.sakkal.comx.
unknown
clean
http://www.tiro.com
unknown
clean
http://www.sajatypeworks.comD
unknown
clean
http://www.jiyu-kobo.co.jp/71
unknown
clean
http://google.com
unknown
clean
http://www.jiyu-kobo.co.jp/jp/
unknown
clean
http://www.fontbureau.coma
unknown
clean
http://www.jiyu-kobo.co.jp/vau
unknown
clean
http://www.sajatypeworks.com
unknown
clean
http://www.founder.com.cn/cn/
unknown
clean
http://www.founder.com.cn/cn
unknown
clean
http://www.jiyu-kobo.co.jp/arge
unknown
clean
http://www.fontbureau.com/designers/frere-jones.htmla-d
unknown
clean
http://www.jiyu-kobo.co.jp/Y0d
unknown
clean
http://www.jiyu-kobo.co.jp/r
unknown
clean
http://www.fontbureau.comcomF
unknown
clean
http://www.fontbureau.comonyd
unknown
clean
http://www.jiyu-kobo.co.jp/
unknown
clean
http://www.jiyu-kobo.co.jp/jp/71
unknown
clean
http://www.ascendercorp.com/typedesigners.html
unknown
clean
http://www.fontbureau.comals
unknown
clean
http://www.sakkal.comd
unknown
clean
http://www.urwpp.delar
unknown
clean
http://www.sajatypeworks.comc
unknown
clean
http://www.urwpp.de
unknown
clean
http://www.founder.com.cn/cn/s
unknown
clean
http://www.jiyu-kobo.co.jp/ns.
unknown
clean
http://www.jiyu-kobo.co.jp/vnoi
unknown
clean
http://www.fontbureau.com/designers/c
unknown
clean
http://www.jiyu-kobo.co.jp/_
unknown
clean
http://www.founder.com.cn/cn#
unknown
clean
http://www.founder.com.cn/cnd
unknown
clean
There are 33 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
dedicatedlambo9.ddns.net
84.38.133.182
malicious

IPs

IP
Domain
Country
Malicious
84.38.133.182
dedicatedlambo9.ddns.net
Latvia
malicious
185.140.53.253
unknown
Sweden
malicious
192.168.2.1
unknown
unknown
clean

Registry

Path
Value
Malicious
C:\Users\user\Desktop\ORDER TSA-A090621B.exe
DHCP Monitor
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
39E9000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious