IOC Report

loading gif

Files

File Path
Type
Category
Malicious
G47wmLn8uy.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\Users\user\AppData\Local\Temp\~DF81F8B836C10D3FC0.TMP
Composite Document File V2 Document, Cannot read section info
dropped
 clean
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped
 clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\G47wmLn8uy.exe
"C:\Users\user\Desktop\G47wmLn8uy.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Users\user\Desktop\G47wmLn8uy.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Users\user\Desktop\G47wmLn8uy.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Users\user\Desktop\G47wmLn8uy.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
 clean

URLs

Name
IP
Malicious
http://127.0.0.1:HTTP/1.1
unknown
 clean
http://DynDns.comDynDNS
unknown
 clean
http://repository.certum.pl/ctnca.cer09
unknown
 clean
https://doc-08-0o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g955ofpf
unknown
 clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
unknown
 clean
http://crl.certum.pl/ctnca.crl0k
unknown
 clean
https://doc-08-0o-docs.googleusercontent.com/
unknown
 clean
http://yandex.crl.certum.pl/ycasha2.crl0q
unknown
 clean
https://api.ipify.org%4
unknown
 clean
https://doc-08-0o-docs.googleusercontent.com/%%doc-08-0o-docs.googleusercontent.com
unknown
 clean
http://oQCcllY8wcJ5yZF5.orgt-
unknown
 clean
https://support.google.com/chrome/?p=plugin_flash
unknown
 clean
https://www.certum.pl/CPS0
unknown
 clean
http://oQCcllY8wcJ5yZF5.org
unknown
 clean
http://smtp.yandex.com
unknown
 clean
http://yandex.ocsp-responder.com03
unknown
 clean
http://subca.ocsp-certum.com0.
unknown
 clean
https://doc-08-0o-docs.googleusercontent.com/P~K
unknown
 clean
http://repository.certum.pl/ca.cer09
unknown
 clean
http://uYFyNj.com
unknown
 clean
http://crls.yandex.net/certum/ycasha2.crl0-
unknown
 clean
https://drive.google.com/
unknown
 clean
http://subca.ocsp-certum.com01
unknown
 clean
https://api.ipify.org%GETMozilla/5.0
unknown
 clean
https://doc-08-0o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g955ofpf5ri5rpdjdcedlr3l5sifs0gg/1639494750000/08820895400503972853/*/1rvzmbX5uh5tlf4YLxhmc756C1SkQ0vOB?e=download
142.250.185.65
 clean
http://crl.certum.pl/ca.crl0h
unknown
 clean
http://www.certum.pl/CPS0
unknown
 clean
https://doc-08-0o-docs.googleusercontent.com/BQG
unknown
 clean
http://repository.certum.pl/ycasha2.cer0
unknown
 clean
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
unknown
 clean
There are 20 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
smtp.yandex.ru
77.88.21.158
 clean
drive.google.com
142.250.181.238
 clean
googlehosted.l.googleusercontent.com
142.250.185.65
 clean
doc-08-0o-docs.googleusercontent.com
unknown
 clean
smtp.yandex.com
unknown
 clean

IPs

IP
Domain
Country
Malicious
142.250.181.238
drive.google.com
United States
clean
77.88.21.158
smtp.yandex.ru
Russian Federation
clean
142.250.185.65
googlehosted.l.googleusercontent.com
United States
clean

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\subideal\Eyeliners
HARNISKKLDT
 clean

Memdumps

Base Address
Regiontype
Protect
Malicious
1DE51000
unkown
page read and write
 malicious
D30000
unkown
page execute and read and write
 malicious
2AB0000
unkown
page execute and read and write
 malicious
FE0000
stack
page read and write
 clean
7FF528F37000
unkown image
page readonly
 clean
1DE30000
unkown
page read and write
 clean
7FF5B7FE9000
unkown image
page readonly
 clean
1DE30000
unkown
page read and write
 clean
2802528A000
unkown
page read and write
 clean
179E7540000
unkown
page read and write
 clean
179E6CA5000
unkown
page read and write
 clean
1CDB1000
unkown
page read and write
 clean
20A19119000
unkown
page read and write
 clean
179E6CC8000
unkown
page read and write
 clean
20A19819000
unkown
page read and write
 clean
20A198ED000
unkown
page read and write
 clean
FD5000
stack
page read and write
 clean
1E1E0EA4000
unkown
page read and write
 clean
590000
unkown image
page readonly
 clean
7FB40000
unkown image
page readonly
 clean
1AB024CD000
unkown
page read and write
 clean
7DF588BA0000
unkown image
page readonly
 clean
1CDB1000
unkown
page read and write
 clean
2252D802000
unkown
page read and write
 clean
2252D02A000
unkown
page read and write
 clean