IOC Report
ungziped_file.exe

loading gif

Files

File Path
Type
Category
Malicious
ungziped_file.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
 malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ungziped_file.exe.log
ASCII text, with CRLF line terminators
dropped
 malicious
C:\Users\user\AppData\Local\Temp\tmp83C2.tmp
XML 1.0 document, ASCII text
dropped
 malicious
C:\Users\user\AppData\Roaming\wcxUnWLNw.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
 malicious
C:\Users\user\AppData\Roaming\wcxUnWLNw.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\ios\logs.dat
data
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wcxUnWLNw.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\json[1].json
JSON data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json
JSON data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
modified
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1yqzxpwo.03o.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3303b0gg.z24.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aed25he4.2ve.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l02lgsx5.lo0.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mq5q1llf.gd1.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5ciq2ms.d5k.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2ju2pwh.vkc.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3ixx2nq.oon.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\tmp9556.tmp
XML 1.0 document, ASCII text
dropped
There are 9 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\ungziped_file.exe
"C:\Users\user\Desktop\ungziped_file.exe"
 malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ungziped_file.exe"
 malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wcxUnWLNw.exe"
 malicious
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wcxUnWLNw" /XML "C:\Users\user\AppData\Local\Temp\tmp83C2.tmp"
 malicious
C:\Users\user\Desktop\ungziped_file.exe
"C:\Users\user\Desktop\ungziped_file.exe"
 malicious
C:\Users\user\AppData\Roaming\wcxUnWLNw.exe
C:\Users\user\AppData\Roaming\wcxUnWLNw.exe
 malicious
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wcxUnWLNw" /XML "C:\Users\user\AppData\Local\Temp\tmp9556.tmp"
 malicious
C:\Users\user\AppData\Roaming\wcxUnWLNw.exe
"C:\Users\user\AppData\Roaming\wcxUnWLNw.exe"
 malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
There are 3 hidden processes, click here to show them.

URLs

Name
IP
Malicious
oyo.work.gd
malicious
http://www.apache.org/licenses/LICENSE-2.0
unknown
http://www.fontbureau.com
unknown
http://www.fontbureau.com/designersG
unknown
http://www.fontbureau.com/designers/?
unknown
http://www.founder.com.cn/cn/bThe
unknown
http://geoplugin.net/json.gpyl
unknown
http://www.fontbureau.com/designers?
unknown
http://www.tiro.com
unknown
http://www.fontbureau.com/designers
unknown
http://geoplugin.net/json.gpu
unknown
http://geoplugin.net/json.gp;
unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0
unknown
http://www.carterandcone.coml
unknown
http://www.sajatypeworks.com
unknown
http://geoplugin.net/json.gp
178.237.33.50
http://www.typography.netD
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
unknown
http://www.founder.com.cn/cn/cThe
unknown
http://www.galapagosdesign.com/staff/dennis.htm
unknown
http://www.founder.com.cn/cn
unknown
http://www.fontbureau.com/designers/frere-user.html
unknown
http://geoplugin.net/
unknown
http://geoplugin.net/json.gp/C
unknown
http://geoplugin.net/json.gpat
unknown
http://www.jiyu-kobo.co.jp/
unknown
http://www.galapagosdesign.com/DPlease
unknown
http://www.fontbureau.com/designers8
unknown
http://www.fonts.com
unknown
http://geoplugin.net/json.gpV
unknown
http://www.urwpp.deDPlease
unknown
http://www.zhongyicts.com.cn
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
http://www.sakkal.com
unknown
There are 24 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
oyo.work.gd
176.65.141.49
 malicious
geoplugin.net
178.237.33.50

IPs

IP
Domain
Country
Malicious
176.65.141.49
oyo.work.gd
Germany
malicious
178.237.33.50
geoplugin.net
Netherlands

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\gig-Z5JY9I
exepath
HKEY_CURRENT_USER\SOFTWARE\gig-Z5JY9I
licence

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
remote allocation
page execute and read and write
 malicious
36A9000
trusted library allocation
page read and write
 malicious
DAA000
heap
page read and write
 malicious
BA7000
heap
page read and write
 malicious
6FF5000
trusted library allocation
page read and write
ECE000
stack
page read and write
46E000
remote allocation
page execute and read and write
B70E000
stack
page read and write
4BB3000
heap
page read and write
8A0000
heap
page read and write
146B000
trusted library allocation
page execute and read and write
D35000
heap
page read and write
CFE000
stack
page read and write
4BA0000
trusted library allocation
page read and write
91F000
heap
page read and write
BD6000
trusted library allocation
page execute and read and write
6EEE000
stack
page read and write
BB4000
trusted library allocation
page read and write
2F9F000
stack
page read and write
12E0000
trusted library allocation
page read and write
727B000
heap
page read and write
5980000
trusted library allocation
page execute and read and write
4C90000
trusted library allocation
page read and write
2C70000
trusted library allocation
page read and write
282E000
stack
page read and write
2A7F000
stack
page read and write
5890000
heap
page read and write
6BAE000
heap
page read and write
2BBF000
stack
page read and write
79FE000
stack
page read and write
3F1E000
trusted library allocation
page read and write
1443000
trusted library allocation
page read and write
5580000
heap
page execute and read and write
2590000
heap
page execute and read and write
2D00000
heap
page read and write
2F0B000
trusted library allocation
page read and write
BA0000
heap
page read and write
279A000
stack
page read and write
888000
heap
page read and write
2ABC000
stack
page read and write
386E000
stack
page read and write
B90000
trusted library allocation
page read and write
C50000
trusted library allocation
page execute and read and write
FCE000
stack
page read and write
5040000
trusted library allocation
page execute and read and write
B1FE000
stack
page read and write
C1B000
heap
page read and write
B48E000
stack
page read and write
AFAE000
stack
page read and write
1440000
trusted library allocation
page read and write
71DE000
stack
page read and write
4FDB000
stack
page read and write
4E70000
heap
page read and write
BE7000
trusted library allocation
page execute and read and write
71E0000
heap
page read and write
2CCE000
stack
page read and write
BB3000
trusted library allocation
page execute and read and write
5320000
trusted library allocation
page read and write
756E000
stack
page read and write
4B80000
trusted library allocation
page read and write
352F000
stack
page read and write
3F94000
trusted library allocation
page read and write
7FD90000
trusted library allocation
page execute and read and write
40F0000
trusted library allocation
page read and write
2570000
heap
page read and write
2E80000
heap
page read and write
73B0000
trusted library allocation
page read and write
471000
remote allocation
page execute and read and write
C04000
heap
page read and write
788E000
stack
page read and write
54FB000
stack
page read and write
716E000
stack
page read and write
2CCE000
stack
page read and write
396D000
stack
page read and write
A5C000
stack
page read and write
12F0000
heap
page read and write
4C82000
trusted library allocation
page read and write
5870000
heap
page read and write
5510000
heap
page read and write
86A000
heap
page read and write
300000
unkown
page readonly
C80000
heap
page read and write
14A0000
heap
page read and write
256B000
stack
page read and write
5403000
heap
page read and write
86E000
heap
page read and write
12CE000
stack
page read and write
4BE1000
trusted library allocation
page read and write
293F000
stack
page read and write
B80E000
stack
page read and write
100A000
heap
page read and write
F60000
heap
page read and write
4BC0000
trusted library allocation
page read and write
2CCB000
heap
page read and write
8A2000
heap
page read and write
6BC2000
heap
page read and write
1490000
trusted library allocation
page execute and read and write
BCD000
trusted library allocation
page execute and read and write
4EC0000
heap
page read and write
5065000
heap
page read and write
6EA0000
trusted library allocation
page read and write
550A000
trusted library section
page readonly
BD0000
trusted library allocation
page read and write
73FE000
stack
page read and write
14A7000
heap
page read and write
2C90000
heap
page read and write
297B000
stack
page read and write
36A1000
trusted library allocation
page read and write
5060000
heap
page read and write
4F10000
trusted library allocation
page read and write
1460000
trusted library allocation
page read and write
5341000
trusted library allocation
page read and write
5324000
trusted library allocation
page read and write
4BE6000
trusted library allocation
page read and write
145A000
trusted library allocation
page execute and read and write
AFD000
stack
page read and write
7030000
trusted library allocation
page execute and read and write
7F0000
heap
page read and write
573E000
stack
page read and write
BFA000
stack
page read and write
32AF000
unkown
page read and write
C60000
heap
page read and write
2E5D000
stack
page read and write
6CE2000
heap
page read and write
71FC000
heap
page read and write
2EF6000
trusted library allocation
page read and write
4E60000
heap
page read and write
6BA0000
heap
page read and write
109B000
heap
page read and write
BBD000
trusted library allocation
page execute and read and write
EF7000
stack
page read and write
104E000
stack
page read and write
5400000
heap
page read and write
746E000
stack
page read and write
4BCB000
trusted library allocation
page read and write
12E4000
trusted library allocation
page read and write
B5CC000
stack
page read and write
BA0000
heap
page read and write
7B5000
heap
page read and write
B34E000
stack
page read and write
2CD8000
trusted library allocation
page read and write
534D000
trusted library allocation
page read and write
2A00000
heap
page read and write
D7F000
stack
page read and write
CB0000
heap
page read and write
6D3E000
heap
page read and write
5530000
trusted library allocation
page read and write
4BF2000
trusted library allocation
page read and write
5875000
heap
page read and write
5030000
trusted library allocation
page read and write
775D000
stack
page read and write
B0AE000
stack
page read and write
777000
stack
page read and write
6CEF000
heap
page read and write
B820000
trusted library allocation
page execute and read and write
1450000
trusted library allocation
page read and write
2DFE000
unkown
page read and write
73AA000
trusted library allocation
page read and write
4F00000
trusted library section
page read and write
585D000
stack
page read and write
29ED000
stack
page read and write
3EA1000
trusted library allocation
page read and write
E10000
heap
page read and write
5740000
trusted library allocation
page read and write
3FFF000
trusted library allocation
page read and write
1456000
trusted library allocation
page execute and read and write
2830000
heap
page read and write
7BC000
stack
page read and write
2AA0000
heap
page read and write
2D70000
trusted library allocation
page read and write
FCF000
stack
page read and write
BEB000
trusted library allocation
page execute and read and write
39AD000
stack
page read and write
4BC4000
trusted library allocation
page read and write
74FE000
stack
page read and write
3FE8000
trusted library allocation
page read and write
5860000
trusted library allocation
page execute and read and write
1452000
trusted library allocation
page read and write
302000
unkown
page readonly
2A90000
heap
page read and write
2C60000
trusted library allocation
page read and write
C00000
trusted library allocation
page read and write
2D75000
trusted library allocation
page read and write
D90000
heap
page read and write
2CCF000
heap
page read and write
67A000
stack
page read and write
4EDC000
stack
page read and write
1462000
trusted library allocation
page read and write
B58E000
stack
page read and write
12E3000
trusted library allocation
page execute and read and write
7258000
heap
page read and write
533E000
trusted library allocation
page read and write
7231000
heap
page read and write
D8E000
stack
page read and write
7FA80000
trusted library allocation
page execute and read and write
B2FF000
stack
page read and write
2D0F000
stack
page read and write
6E90000
trusted library allocation
page read and write
5500000
trusted library section
page readonly
B67C000
stack
page read and write
2D80000
trusted library allocation
page read and write
6FEF000
stack
page read and write
67C2000
trusted library allocation
page read and write
7274000
heap
page read and write
275D000
stack
page read and write
6CA0000
heap
page read and write
2C39000
stack
page read and write
4C20000
trusted library allocation
page read and write
B6E000
stack
page read and write
6D36000
heap
page read and write
1034000
heap
page read and write
3EA9000
trusted library allocation
page read and write
2D90000
heap
page execute and read and write
BE6000
heap
page read and write
3AAB000
stack
page read and write
E20000
heap
page read and write
6CB8000
heap
page read and write
53D2000
trusted library allocation
page read and write
B6E000
stack
page read and write
4BDE000
trusted library allocation
page read and write
4C60000
heap
page read and write
B70000
heap
page read and write
F80000
heap
page read and write
2F5E000
stack
page read and write
50B7000
heap
page read and write
C70000
trusted library allocation
page read and write
5346000
trusted library allocation
page read and write
6F7E000
heap
page read and write
D97000
heap
page read and write
B57B000
stack
page read and write
895000
heap
page read and write
5750000
heap
page read and write
100F000
stack
page read and write
6FF0000
trusted library allocation
page read and write
BD2000
trusted library allocation
page read and write
4C00000
trusted library allocation
page read and write
4B90000
trusted library allocation
page read and write
4BB0000
heap
page read and write
2715000
trusted library allocation
page read and write
6CBC000
heap
page read and write
53B0000
heap
page read and write
779E000
stack
page read and write
C26000
heap
page read and write
C87000
heap
page read and write
371E000
stack
page read and write
732E000
stack
page read and write
4C70000
trusted library allocation
page execute and read and write
12ED000
trusted library allocation
page execute and read and write
5070000
heap
page read and write
5370000
trusted library allocation
page read and write
40E3000
trusted library allocation
page read and write
BE2000
trusted library allocation
page read and write
B43E000
stack
page read and write
B53E000
stack
page read and write
B5B000
stack
page read and write
6F92000
heap
page read and write
1042000
heap
page read and write
26F6000
trusted library allocation
page read and write
6CF2000
heap
page read and write
BC0000
trusted library allocation
page read and write
BC3000
trusted library allocation
page read and write
2F13000
trusted library allocation
page read and write
381F000
stack
page read and write
4F20000
heap
page execute and read and write
2BFD000
stack
page read and write
2CC0000
heap
page read and write
D00000
heap
page read and write
483C000
stack
page read and write
53C0000
trusted library allocation
page execute and read and write
28F0000
heap
page read and write
133E000
stack
page read and write
B6CC000
stack
page read and write
2C50000
trusted library allocation
page read and write
502D000
stack
page read and write
471000
remote allocation
page execute and read and write
2B90000
heap
page read and write
2B9A000
heap
page read and write
7205000
heap
page read and write
269E000
stack
page read and write
144D000
trusted library allocation
page execute and read and write
53D0000
trusted library allocation
page read and write
71F5000
heap
page read and write
76F4000
trusted library allocation
page read and write
67A0000
trusted library allocation
page read and write
342E000
stack
page read and write
2A4E000
unkown
page read and write
D30000
heap
page read and write
1480000
trusted library allocation
page read and write
BDA000
trusted library allocation
page execute and read and write
30B0000
heap
page read and write
2CA0000
heap
page read and write
12D0000
trusted library allocation
page read and write
76F0000
trusted library allocation
page read and write
5050000
trusted library allocation
page execute and read and write
7B0000
heap
page read and write
4ED0000
trusted library allocation
page read and write
6F70000
heap
page read and write
4EBC000
stack
page read and write
860000
heap
page read and write
4C80000
trusted library allocation
page read and write
B20000
heap
page read and write
B3FE000
stack
page read and write
BA0000
heap
page read and write
2E00000
heap
page read and write
7277000
heap
page read and write
5520000
heap
page read and write
5880000
heap
page read and write
2A8F000
unkown
page read and write
7A3E000
stack
page read and write
B44F000
stack
page read and write
B20E000
stack
page read and write
10D0000
heap
page read and write
B30E000
stack
page read and write
2C66000
trusted library allocation
page read and write
5540000
trusted library allocation
page execute and read and write
2E1F000
stack
page read and write
1040000
heap
page read and write
2EA1000
trusted library allocation
page read and write
2F1E000
unkown
page read and write
1467000
trusted library allocation
page execute and read and write
7246000
heap
page read and write
4E50000
trusted library section
page readonly
26A1000
trusted library allocation
page read and write
4BA5000
trusted library allocation
page read and write
46A8000
trusted library allocation
page read and write
B2E000
stack
page read and write
100E000
heap
page read and write
73A0000
trusted library allocation
page read and write
BB0000
trusted library allocation
page read and write
800000
heap
page read and write
53E0000
trusted library allocation
page read and write
41AA000
trusted library allocation
page read and write
5080000
heap
page read and write
722E000
heap
page read and write
4029000
trusted library allocation
page read and write
C4E000
stack
page read and write
2E9E000
stack
page read and write
10AE000
heap
page read and write
6DD0000
trusted library section
page read and write
79BE000
stack
page read and write
532B000
trusted library allocation
page read and write
2C64000
trusted library allocation
page read and write
475000
remote allocation
page execute and read and write
2CFF000
stack
page read and write
F70000
heap
page read and write
1000000
heap
page read and write
143F000
stack
page read and write
84E000
stack
page read and write
4BED000
trusted library allocation
page read and write
5086000
heap
page read and write
2C80000
heap
page read and write
1099000
heap
page read and write
5570000
trusted library allocation
page read and write
B77E000
stack
page read and write
4EE0000
trusted library allocation
page execute and read and write
There are 345 hidden memdumps, click here to show them.