IOC Report

loading gif

Files

File Path
Type
Category
Malicious
FACTURAS.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\M9XgMRXaN30mgEl56ja236
data
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF03314C855DEECA48.TMP
Composite Document File V2 Document, Cannot read section info
dropped
clean
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\FACTURAS.exe
"C:\Users\user\Desktop\FACTURAS.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Users\user\Desktop\FACTURAS.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
https://doc-0g-7s-docs.googleusercontent.com/
unknown
clean
http://127.0.0.1:HTTP/1.1
unknown
clean
https://NlNlzv83nsnyVe.org
unknown
clean
http://DynDns.comDynDNS
unknown
clean
https://doc-0g-7s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/gp8euu0g
unknown
clean
https://sectigo.com/CPS0
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
unknown
clean
https://drive.google.com/
unknown
clean
https://support.google.com/chrome/?p=plugin_flash
unknown
clean
http://furteksdokuma.com.tr
unknown
clean
http://mail.furteksdokuma.com.tr
unknown
clean
https://doc-0g-7s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/gp8euu0gtvc992oi1h8j40de9a23dlvb/1639471800000/01707528263340534167/*/1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T?e=download
142.250.186.33
clean
http://kFWRbv.com
unknown
clean
https://NlNlzv83nsnyVe.orgt-
unknown
clean
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
unknown
clean
There are 5 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
furteksdokuma.com.tr
116.202.203.61
malicious
mail.furteksdokuma.com.tr
unknown
malicious
drive.google.com
142.250.181.238
clean
googlehosted.l.googleusercontent.com
142.250.186.33
clean
doc-0g-7s-docs.googleusercontent.com
unknown
clean

IPs

IP
Domain
Country
Malicious
116.202.203.61
furteksdokuma.com.tr
Germany
malicious
142.250.181.238
drive.google.com
United States
clean
142.250.186.33
googlehosted.l.googleusercontent.com
United States
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Turcize6\Sacrocotyloidean8
SLIDFAST
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
1E3C1000
unkown
page read and write
malicious
1300000
unkown
page execute and read and write
malicious
1D371000
unkown
page read and write
clean
21E9000
heap private
page read and write
clean
206A0000
unkown
page read and write
clean
1490000
stack
page read and write
clean
206A7000
unkown
page read and write
clean
7FF56D4E3000
unkown image
page readonly
clean
7FC12000
unkown image
page readonly
clean
1D371000
unkown
page read and write
clean
1480000
stack
page read and write
clean
1D371000
unkown
page read and write
clean
20661000
unkown
page read and write
clean
17C0000
unkown image
page readonly
clean
206A0000
unkown
page read and write
clean
1D371000
unkown
page read and write
clean
1D371000
unkown
page read and write
clean
1D371000
unkown
page read and write
clean
206B6000
unkown
page read and write
clean
7FC12000
unkown image
page readonly
clean
1D371000
unkown
page read and write
clean
20760000
unkown
page read and write
clean
1D371000
unkown
page read and write
clean
1D371000
unkown
page read and write
clean
1D371000
unkown
page read and write
clean
1A70000
stack
page read and write
clean
1D371000
unkown
page read and write
clean
1D371000
unkown
page read and write
clean
195E000
stack
page read and write
clean
12A0000
stack
page read and write
clean
1210000
unkown
page read and write
clean
1D371000
unkown
page read and write
clean
6AE000
stack
page read and write
clean
1E1D0000
unkown image
page read and write
clean
1470000
stack
page read and write
clean
1E4DE000
unkown
page read and write
clean
1800000
stack
page read and write
clean
1A70000
stack
page read and write
clean
17E0000
stack
page read and write
clean
17C0000
stack
page read and write
clean