IOC Report

loading gif

Files

File Path
Type
Category
Malicious
STATEMENT Oct-Nov 25-11-2021.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
initial sample
malicious
C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
modified
malicious
C:\Users\user\AppData\Local\Temp\a66g5g72a86y4s
data
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe
"C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
malicious
C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe
"C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\SysWOW64\help.exe
C:\Windows\SysWOW64\help.exe
malicious
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
malicious
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
malicious
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
www.davanamays.com/unzn/
malicious
http://www.autoitscript.com/autoit3/J
unknown
clean
http://nsis.sf.net/NSIS_Error
unknown
clean
http://nsis.sf.net/NSIS_ErrorError
unknown
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}
DriveNumber
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{ef47ea26-ec76-4a6e-8680-9e53b539546d}
Generation
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4b110390-e32a-400c-bf41-7fe93773464a}
Generation
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b8455d9b-4916-480e-8b44-905b33ca001e}
Generation
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}
Generation
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
IconLayouts
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
SlowContextMenuEntries
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000103B4
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000103AC
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001039C
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010396
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001038E
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001038C
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010384
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001037A
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001035C
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010352
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010354
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010356
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010334
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010336
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001033E
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010332
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001032A
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
SlowContextMenuEntries
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
SlowContextMenuEntries
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search
InstalledWin32AppsRevision
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$$windows.data.signals.registrations\Current
Data
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
IconLayouts
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search
InstalledWin32AppsRevision
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101
CheckSetting
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{ef47ea26-ec76-4a6e-8680-9e53b539546d}
Generation
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4b110390-e32a-400c-bf41-7fe93773464a}
Generation
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b8455d9b-4916-480e-8b44-905b33ca001e}
Generation
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}
Generation
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
IconLayouts
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000103B4
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000103AC
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001039C
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010396
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001038E
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001038C
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010384
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001037A
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001035C
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010352
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010354
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010356
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010334
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010336
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001033E
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000010332
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000001032A
VirtualDesktop
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$$windows.data.signals.registrations\Current
Data
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
IconLayouts
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100
CheckSetting
clean
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101
CheckSetting
clean
There are 47 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
unkown
page execute and read and write
malicious
400000
unkown image
page execute and read and write
malicious
5C0000
unkown image
page execute and read and write
malicious
5F0000
unkown image
page execute and read and write
malicious
2F20000
unkown image
page execute and read and write
malicious
EA41000
unkown image
page execute and read and write
malicious
3220000
unkown image
page execute and read and write
malicious
2940000
unkown
page read and write
malicious
400000
unkown
page execute and read and write
malicious
700000
unkown
page read and write
malicious
EA41000
unkown image
page execute and read and write
malicious
400000
unkown
page execute and read and write
malicious
BBED000
unkown
page read and write
clean
E08C000
stack
page read and write
clean
5940000
unkown
page read and write
clean