IOC Report
Order_002376662-579588_Date 24082022.exe

loading gif

Files

File Path
Type
Category
Malicious
Order_002376662-579588_Date 24082022.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
initial sample
malicious
C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
modified
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab
ASCII text, with very long lines, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll
PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png
PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp
JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json
UTF-8 Unicode text
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name
IP
Malicious
http://crl.certum.pl/ctnca2.crl0l
unknown
http://repository.certum.pl/ctnca2.cer09
unknown
http://crl.certum.pl/ctsca2021.crl0o
unknown
http://nsis.sf.net/NSIS_Error
unknown
http://repository.certum.pl/ctnca.cer09
unknown
http://nsis.sf.net/NSIS_ErrorError
unknown
http://repository.certum.pl/ctsca2021.cer0
unknown
http://crl.certum.pl/ctnca.crl0k
unknown
http://subca.ocsp-certum.com05
unknown
http://www.certum.pl/CPS0
unknown
http://subca.ocsp-certum.com02
unknown
http://subca.ocsp-certum.com01
unknown
There are 2 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
mnhckm.tk
45.8.132.92

IPs

IP
Domain
Country
Malicious
45.8.132.92
mnhckm.tk
Germany

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\Ananthropism
Swithen
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Trakeotomis
Brndboringen
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fallalishly
Navigationsskoler
HKEY_CURRENT_USER\SOFTWARE\Outsnores\Begre\Bonusernes\Skovdistrikts
Chold146

Memdumps

Base Address
Regiontype
Protect
Malicious
F70000
remote allocation
page execute and read and write
malicious
F70000
remote allocation
page execute and read and write
malicious
3500000
direct allocation
page execute and read and write
malicious
422000
unkown
page read and write
F60000
remote allocation
page read and write
1114000
heap
page read and write
E6EB1FB000
stack
page read and write
1BF4E632000
heap
page read and write
2CE970CD000
heap
page read and write
2CE9790F000
heap
page read and write
2CE97040000
heap
page read and write
1BF4E613000
heap
page read and write
2CE97024000
heap
page read and write
8D0000
trusted library allocation
page read and write
3410000
heap
page read and write
235F000
stack
page read and write
3601000
trusted library allocation
page read and write
10001000
unkown
page execute read
1BF4E450000
heap
page read and write
14CE000
stack
page read and write
2CE970CD000
heap
page read and write
11D4000
heap
page read and write
10005000
unkown
page readonly
1BF4E67D000
heap
page read and write
2D80000
trusted library allocation
page read and write
158E000
stack
page read and write
2CE97913000
heap
page read and write
17318FA000
stack
page read and write
E6EAFFE000
stack
page read and write
2CE97970000
heap
page read and write
E6EB0FD000
stack
page read and write
3240000
trusted library allocation
page read and write
98000
stack
page read and write
277E000
stack
page read and write
2CE96F20000
unclassified section
page readonly
1BF4EDC0000
trusted library allocation
page read and write
2CE97974000
heap
page read and write
33FC000
stack
page read and write
40A000
unkown
page write copy
1BF4E5D0000
heap
page read and write
4FD000
heap
page read and write
1BF4E602000
heap
page read and write
2CE9793B000
heap
page read and write
400000
unkown
page readonly
10F0000
heap
page read and write
2CE970A4000
heap
page read and write
10D9000
heap
page read and write
1BF4E63B000
heap
page read and write
2CE97970000
heap
page read and write
2CE970B9000
heap
page read and write
E6EB2FE000
stack
page read and write
2CE97102000
heap
page read and write
52C000
heap
page read and write