IOC Report
Outstanding Balance.exe

loading gif

Files

File Path
Type
Category
Malicious
Outstanding Balance.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Outstanding Balance.exe.log
ASCII text, with CRLF line terminators
modified
malicious
C:\Users\user\AppData\Local\Temp\tmp2F3E.tmp
XML 1.0 document, ASCII text
dropped
malicious
C:\Users\user\AppData\Roaming\wBKXRefcPdWgIF.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\wBKXRefcPdWgIF.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\Windows\System32\drivers\etc\hosts
ASCII text, with CRLF line terminators
modified
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15uilnrt.ojj.ps1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhwtbrxc.0tv.psm1
very short file (no magic)
dropped
C:\Users\user\Documents\20220514\PowerShell_transcript.414408.xQOGZ_fA.20220514124220.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Outstanding Balance.exe
"C:\Users\user\Desktop\Outstanding Balance.exe"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBKXRefcPdWgIF.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBKXRefcPdWgIF" /XML "C:\Users\user\AppData\Local\Temp\tmp2F3E.tmp
malicious
C:\Users\user\Desktop\Outstanding Balance.exe
C:\Users\user\Desktop\Outstanding Balance.exe
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name
IP
Malicious
http://rPudMB.com
unknown
http://127.0.0.1:HTTP/1.1
unknown
http://www.apache.org/licenses/LICENSE-2.0
unknown
http://www.fontbureau.com
unknown
http://www.fontbureau.com/designersG
unknown
http://www.fontbureau.com/designers/?
unknown
http://www.founder.com.cn/cn/bThe
unknown
https://certs.starfieldtech.com/repository/0
unknown
http://certificates.starfieldtech.com/repository/0
unknown
http://www.fontbureau.com/designers?
unknown
http://certs.starfieldtech.com/repository/1402
unknown
http://crl.starfieldtech.com/sfroot-g2.crl0L
unknown
http://a2plcpnl0484.prod.iad2.secureserver.net
unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
unknown
http://crl.starfieldtech.com/sfig2s1-387.crl0c
unknown
http://www.tiro.com
unknown
http://ocsp.starfieldtech.com/0;
unknown
http://www.fontbureau.com/designers
unknown
https://api.ipify.org%%startupfolder%
unknown
http://www.goodfont.co.kr
unknown
http://www.carterandcone.coml
unknown
http://ocsp.starfieldtech.com/0F
unknown
http://www.sajatypeworks.com
unknown
http://www.typography.netD
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
unknown
http://www.fontbureau.comas
unknown
http://www.founder.com.cn/cn/cThe
unknown
http://www.galapagosdesign.com/staff/dennis.htm
unknown
http://fontfabrik.com
unknown
http://www.founder.com.cn/cn
unknown
http://www.fontbureau.com/designers/frere-jones.html
unknown
http://www.fontbureau.comm
unknown
http://www.jiyu-kobo.co.jp/
unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi
unknown
http://www.galapagosdesign.com/DPlease
unknown
http://www.fontbureau.com/designers8
unknown
https://SjVl8ze1qIuT.com
unknown
http://www.fonts.com
unknown
http://www.sandoll.co.kr
unknown
http://www.urwpp.deDPlease
unknown
http://www.zhongyicts.com.cn
unknown
http://certificates.starfieldtech.com/repository/sfig2.crt0
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
http://www.sakkal.com
unknown
https://api.ipify.org%
unknown
There are 35 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
a2plcpnl0484.prod.iad2.secureserver.net
198.71.236.16

IPs

IP
Domain
Country
Malicious
198.71.236.16
a2plcpnl0484.prod.iad2.secureserver.net
United States

Memdumps

Base Address
Regiontype
Protect
Malicious
31D1000
trusted library allocation
page read and write
malicious
2BF1000
trusted library allocation
page read and write
malicious