IOC Report

loading gif

Files

File Path
Type
Category
Malicious
3Wok4G7Goe.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3Wok4G7Goe.exe.log
ASCII text, with CRLF line terminators
modified
malicious
C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp
XML 1.0 document, ASCII text
dropped
malicious
C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajkuautj.dhg.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mxomvrbi.i11.psm1
very short file (no magic)
dropped
clean
C:\Users\user\Documents\20220113\PowerShell_transcript.103386.3rTMab6k.20220113175612.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\3Wok4G7Goe.exe
"C:\Users\user\Desktop\3Wok4G7Goe.exe"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp
malicious
C:\Users\user\Desktop\3Wok4G7Goe.exe
C:\Users\user\Desktop\3Wok4G7Goe.exe
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\SysWOW64\systray.exe
C:\Windows\SysWOW64\systray.exe
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
www.topeasyip.company/i5nb/
malicious
http://www.autoitscript.com/autoit3/J
unknown
clean
http://www.apache.org/licenses/LICENSE-2.0
unknown
clean
http://www.fontbureau.com
unknown
clean
http://www.fontbureau.com/designersG
unknown
clean
http://www.fontbureau.com/designers/?
unknown
clean
http://www.founder.com.cn/cn/bThe
unknown
clean
http://www.fontbureau.com/designers?
unknown
clean
http://www.tiro.com
unknown
clean
http://www.fontbureau.com/designers
unknown
clean
http://www.goodfont.co.kr
unknown
clean
http://www.carterandcone.coml
unknown
clean
http://www.sajatypeworks.com
unknown
clean
http://www.typography.netD
unknown
clean
http://www.fontbureau.com/designers/cabarga.htmlN
unknown
clean
http://www.founder.com.cn/cn/cThe
unknown
clean
http://www.galapagosdesign.com/staff/dennis.htm
unknown
clean
http://fontfabrik.com
unknown
clean
http://www.founder.com.cn/cn
unknown
clean
http://www.fontbureau.com/designers/frere-jones.html
unknown
clean
http://www.jiyu-kobo.co.jp/
unknown
clean
http://www.galapagosdesign.com/DPlease
unknown
clean
http://www.fontbureau.com/designers8
unknown
clean
http://www.fonts.com
unknown
clean
http://www.sandoll.co.kr
unknown
clean
http://www.urwpp.deDPlease
unknown
clean
http://www.zhongyicts.com.cn
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
http://www.sakkal.com
unknown
clean
There are 19 hidden URLs, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
unkown
page execute and read and write
malicious
2130000
unkown image
page execute and read and write
malicious
400000
unkown
page execute and read and write
malicious
352B000
unkown
page read and write
malicious
34E1000
unkown
page read and write
malicious
1490000
unkown image
page execute and read and write
malicious
3F40000
unkown image
page execute and read and write
malicious
44E9000
unkown
page read and write
malicious
7FAD000
unkown image
page execute and read and write
malicious
400000
unkown
page execute and read and write
malicious
3FA0000
unkown
page read and write
malicious
1460000
unkown image
page execute and read and write
malicious
7FAD000
unkown image
page execute and read and write
malicious
7FF566C63000
unkown image
page readonly
clean
400000
unkown
page execute and read and write
clean
5CEE000
unkown
page read and write
clean
76FC000
unkown image
page readonly
clean
E32C2FE000
stack
page read and write