IOC Report
UnDqKnghuz.exe

loading gif

Files

File Path
Type
Category
Malicious
UnDqKnghuz.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\645238\Itunes.pif
PE32 executable (GUI) Intel 80386, for MS Windows
modified
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\645238\RegAsm.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\645238\p
data
dropped
C:\Users\user\AppData\Local\Temp\Animals
data
dropped
C:\Users\user\AppData\Local\Temp\Apollo
data
dropped
C:\Users\user\AppData\Local\Temp\Arg
data
dropped
C:\Users\user\AppData\Local\Temp\Barbara
DIY-Thermocam raw data (Lepton 3.x), scale 25675-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, show scale bar, calibration: offset 28924494707576576933888.000000, slope 30105255213280014630912.000000
dropped
C:\Users\user\AppData\Local\Temp\Blonde
data
dropped
C:\Users\user\AppData\Local\Temp\Cemetery
data
dropped
C:\Users\user\AppData\Local\Temp\Coding
data
dropped
C:\Users\user\AppData\Local\Temp\Cornwall
data
dropped
C:\Users\user\AppData\Local\Temp\Defense
data
dropped
C:\Users\user\AppData\Local\Temp\Donald
data
dropped
C:\Users\user\AppData\Local\Temp\Examined
data
dropped
C:\Users\user\AppData\Local\Temp\Fake
ASCII text, with very long lines (1680), with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\Fake.cmd
ASCII text, with very long lines (1680), with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\File
data
dropped
C:\Users\user\AppData\Local\Temp\Howto
data
dropped
C:\Users\user\AppData\Local\Temp\Mild
data
dropped
C:\Users\user\AppData\Local\Temp\Offered
data
dropped
C:\Users\user\AppData\Local\Temp\Paper
data
dropped
C:\Users\user\AppData\Local\Temp\Picks
data
dropped
C:\Users\user\AppData\Local\Temp\Punk
data
dropped
C:\Users\user\AppData\Local\Temp\Sofa
data
dropped
C:\Users\user\AppData\Local\Temp\Spending
data
dropped
C:\Users\user\AppData\Local\Temp\Sticky
data
dropped
C:\Users\user\AppData\Local\Temp\Takes
data
dropped
C:\Users\user\AppData\Local\Temp\Tar
data
dropped
C:\Users\user\AppData\Local\Temp\Tears
data
dropped
C:\Users\user\AppData\Local\Temp\Thereof
data
dropped
C:\Users\user\AppData\Local\Temp\Threatened
data
dropped
C:\Users\user\AppData\Local\Temp\Till
data
dropped
C:\Users\user\AppData\Local\Temp\Times
data
dropped
C:\Users\user\AppData\Local\Temp\Ultra
data
dropped
C:\Users\user\AppData\Local\Temp\Visitor
PCX ver. 2.5 image data bounding box [63573, 17803] - [35788, 62541], 106 planes each of 139-bit uncompressed
dropped
C:\Users\user\AppData\Local\Temp\Weblogs
data
dropped
C:\Users\user\AppData\Local\Temp\Worship
data
dropped
There are 29 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\UnDqKnghuz.exe
"C:\Users\user\Desktop\UnDqKnghuz.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Fake Fake.cmd & Fake.cmd & exit
malicious
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
malicious
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c md 645238
malicious
C:\Windows\SysWOW64\findstr.exe
findstr /V "AxisDevicesTwikiIntimate" Paper
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Coding + Offered + Howto + Threatened + Mild + Blonde + Sticky 645238\p
malicious
C:\Users\user\AppData\Local\Temp\645238\Itunes.pif
645238\Itunes.pif 645238\p
malicious
C:\Users\user\AppData\Local\Temp\645238\RegAsm.exe
C:\Users\user\AppData\Local\Temp\645238\RegAsm.exe
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
There are 4 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://www.autoitscript.com/autoit3/J
unknown
http://www.apache.org/licenses/LICENSE-2.0
unknown
http://www.fontbureau.com
unknown