IOC Report

loading gif

Files

File Path
Type
Category
Malicious
210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\~DF7DBC0B9955D431E2.TMP
Composite Document File V2 Document, Cannot read section info
dropped
clean
C:\Users\user\AppData\Roaming\frpuodz4.bqm\Chrome\Default\Cookies
SQLite 3.x database, last written using SQLite version 3035005
dropped
clean
C:\Users\user\AppData\Roaming\frpuodz4.bqm\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite
SQLite 3.x database, user version 12, last written using SQLite version 3036000
modified
clean
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
"C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
https://doc-14-38-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/b7qfcdp6
unknown
clean
http://127.0.0.1:HTTP/1.1
unknown
clean
https://XCD4GuOxIDpaEsq6zLmj.orgt-
unknown
clean
https://doc-14-38-docs.googleusercontent.com/
unknown
clean
http://DynDns.comDynDNS
unknown
clean
https://sectigo.com/CPS0
unknown
clean
https://doc-14-38-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/b7qfcdp6et0sg0enesn34rrf8kvhhdrn/1639482750000/03916840094075221792/*/1sW9pADfhXH64ij3XW0uAfaPSES7O-x1G?e=download
142.250.185.161
clean
https://drive.google.com/X
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
unknown
clean
https://XCD4GuOxIDpaEsq6zLmj.org
unknown
clean
https://drive.google.com/
unknown
clean
http://mail.fortunametals.es
unknown
clean
https://doc-14-38-docs.googleusercontent.com/K
unknown
clean
https://api.ipify.org%4
unknown
clean
http://fortunametals.es
unknown
clean
https://support.google.com/chrome/?p=plugin_flash
unknown
clean
https://api.ipify.org%GETMozilla/5.0
unknown
clean
https://doc-14-38-docs.googleusercontent.com/C
unknown
clean
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
unknown
clean
There are 9 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
fortunametals.es
94.23.221.28
malicious
mail.fortunametals.es
unknown
malicious
drive.google.com
142.250.185.238
clean
googlehosted.l.googleusercontent.com
142.250.185.161
clean
doc-14-38-docs.googleusercontent.com
unknown
clean

IPs

IP
Domain
Country
Malicious
94.23.221.28
fortunametals.es
France
malicious
142.250.185.161
googlehosted.l.googleusercontent.com
United States
clean
142.250.185.238
drive.google.com
United States
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\subideal\Eyeliners
HARNISKKLDT
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
A00000
unkown
page execute and read and write
malicious
1DB80000
unkown
page read and write
malicious
2D80000
unkown
page execute and read and write
malicious
1DB31000
unkown
page read and write
malicious
790000
stack
page read and write
clean
E80000
unkown
page read and write
clean
7E0000
unkown image
page readonly
clean
1CA81000
unkown
page read and write
clean
E41000
stack
page read and write
clean
E40000
stack
page read and write
clean
1CA81000
unkown
page read and write
clean
7F330000
unkown image
page readonly
clean
E40000
stack
page read and write
clean
1CA81000
unkown
page read and write
clean
1CA81000
unkown
page read and write
clean
1CA81000
unkown
page read and write
clean
770000
stack
page read and write
clean
1000000
stack
page read and write
clean
E40000
stack
page read and write
clean
E40000
stack
page read and write
clean
1CA81000
unkown
page read and write
clean
E40000
stack
page read and write
clean
20C31B80000
unkown image
page readonly
clean
670000
unkown image
page readonly
clean
1CA81000
unkown
page read and write
clean
1FE10000
unkown
page read and write
clean
1CA81000
unkown
page read and write
clean
E70000
stack
page read and write
clean
1DAF0000
unkown
page read and write
clean
1040000
stack
page read and write
clean
7D0000
unkown image
page readonly
clean
E40000
stack
page read and write
clean
E41000
stack
page read and write
clean