IOC Report

loading gif

Files

File Path
Type
Category
Malicious
G47wmLn8uy.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\~DF81F8B836C10D3FC0.TMP
Composite Document File V2 Document, Cannot read section info
dropped
clean
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\G47wmLn8uy.exe
"C:\Users\user\Desktop\G47wmLn8uy.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Users\user\Desktop\G47wmLn8uy.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Users\user\Desktop\G47wmLn8uy.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Users\user\Desktop\G47wmLn8uy.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
http://127.0.0.1:HTTP/1.1
unknown
clean
http://DynDns.comDynDNS
unknown
clean
http://repository.certum.pl/ctnca.cer09
unknown
clean
https://doc-08-0o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g955ofpf
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
unknown
clean
http://crl.certum.pl/ctnca.crl0k
unknown
clean
https://doc-08-0o-docs.googleusercontent.com/
unknown
clean
http://yandex.crl.certum.pl/ycasha2.crl0q
unknown
clean
https://api.ipify.org%4
unknown
clean
https://doc-08-0o-docs.googleusercontent.com/%%doc-08-0o-docs.googleusercontent.com
unknown
clean
http://oQCcllY8wcJ5yZF5.orgt-
unknown
clean
https://support.google.com/chrome/?p=plugin_flash
unknown
clean
https://www.certum.pl/CPS0
unknown
clean
http://oQCcllY8wcJ5yZF5.org
unknown
clean
http://smtp.yandex.com
unknown
clean
http://yandex.ocsp-responder.com03
unknown
clean
http://subca.ocsp-certum.com0.
unknown
clean
https://doc-08-0o-docs.googleusercontent.com/P~K
unknown
clean
http://repository.certum.pl/ca.cer09
unknown
clean
http://uYFyNj.com
unknown
clean
http://crls.yandex.net/certum/ycasha2.crl0-
unknown
clean
https://drive.google.com/
unknown
clean
http://subca.ocsp-certum.com01
unknown
clean
https://api.ipify.org%GETMozilla/5.0
unknown
clean
https://doc-08-0o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g955ofpf5ri5rpdjdcedlr3l5sifs0gg/1639494750000/08820895400503972853/*/1rvzmbX5uh5tlf4YLxhmc756C1SkQ0vOB?e=download
142.250.185.65
clean
http://crl.certum.pl/ca.crl0h
unknown
clean
http://www.certum.pl/CPS0
unknown
clean
https://doc-08-0o-docs.googleusercontent.com/BQG
unknown
clean
http://repository.certum.pl/ycasha2.cer0
unknown
clean
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
unknown
clean
There are 20 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
smtp.yandex.ru
77.88.21.158
clean
drive.google.com
142.250.181.238
clean
googlehosted.l.googleusercontent.com
142.250.185.65
clean
doc-08-0o-docs.googleusercontent.com
unknown
clean
smtp.yandex.com
unknown
clean

IPs

IP
Domain
Country
Malicious
142.250.181.238
drive.google.com
United States
clean
77.88.21.158
smtp.yandex.ru
Russian Federation
clean
142.250.185.65
googlehosted.l.googleusercontent.com
United States
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\subideal\Eyeliners
HARNISKKLDT
clean

Memdumps

Base Address
Regiontype
Protect
Malicious
1DE51000
unkown
page read and write
malicious
D30000
unkown
page execute and read and write
malicious
2AB0000
unkown
page execute and read and write
malicious
FE0000
stack
page read and write
clean
7FF528F37000
unkown image
page readonly
clean
1DE30000
unkown
page read and write
clean
7FF5B7FE9000
unkown image
page readonly
clean
1DE30000
unkown
page read and write
clean
2802528A000
unkown
page read and write
clean
179E7540000
unkown
page read and write
clean
179E6CA5000
unkown
page read and write
clean
1CDB1000
unkown
page read and write
clean
20A19119000
unkown
page read and write
clean
179E6CC8000
unkown
page read and write
clean
20A19819000
unkown
page read and write
clean
20A198ED000
unkown
page read and write
clean
FD5000
stack
page read and write
clean
1E1E0EA4000
unkown
page read and write
clean
590000
unkown image
page readonly
clean
7FB40000
unkown image
page readonly
clean
1AB024CD000
unkown
page read and write
clean
7DF588BA0000
unkown image
page readonly
clean
1CDB1000
unkown
page read and write
clean
2252D802000
unkown
page read and write
clean
2252D02A000
unkown
page read and write
clean