IOC Report
JOB-in.line e.K. - New Order 56899707.exe

loading gif

Files

File Path
Type
Category
Malicious
JOB-in.line e.K. - New Order 56899707.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JOB-in.line e.K. - New Order 56899707.exe.log
ASCII text, with CRLF line terminators
modified
malicious
C:\Users\user\AppData\Local\Temp\tmpF006.tmp
XML 1.0 document, ASCII text
dropped
malicious
C:\Users\user\AppData\Roaming\gATZIsOK.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\gATZIsOK.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evf3gbiu.whq.psm1
very short file (no magic)
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkbfubpc.mhm.ps1
very short file (no magic)
dropped
C:\Users\user\Documents\20220805\PowerShell_transcript.065367.PYT_AdW3.20220805104819.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
"C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gATZIsOK" /XML "C:\Users\user\AppData\Local\Temp\tmpF006.tmp
malicious
C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name
IP
Malicious
20.91.187.223
malicious
http://www.apache.org/licenses/LICENSE-2.0
unknown
http://www.fontbureau.com
unknown
http://www.fontbureau.com/designersG
unknown
http://www.fontbureau.com/designers/?
unknown
http://www.founder.com.cn/cn/bThe
unknown
http://www.fontbureau.com/designers?
unknown
http://www.tiro.com
unknown
http://www.fontbureau.com/designers
unknown
http://www.goodfont.co.kr
unknown
http://www.carterandcone.coml
unknown
http://www.sajatypeworks.com
unknown
http://www.typography.netD
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
unknown
http://www.founder.com.cn/cn/cThe
unknown
http://www.galapagosdesign.com/staff/dennis.htm
unknown
http://fontfabrik.com
unknown
http://www.founder.com.cn/cn
unknown
http://www.fontbureau.com/designers/frere-jones.html
unknown
http://www.fontbureau.comldva
unknown
http://www.fontbureau.comm
unknown
http://www.jiyu-kobo.co.jp/
unknown
http://www.galapagosdesign.com/DPlease
unknown
http://www.fontbureau.com/designers8
unknown
http://www.fonts.com
unknown
http://www.sandoll.co.kr
unknown
http://www.urwpp.deDPlease
unknown
http://www.zhongyicts.com.cn
unknown
https://github.com/syohex/java-simple-mine-sweeperC:
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
http://www.sakkal.com
unknown
There are 21 hidden URLs, click here to show them.

IPs

IP
Domain
Country
Malicious
20.91.187.223
unknown
United States
malicious

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer
malicious
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum
Version

Memdumps

Base Address
Regiontype
Protect
Malicious
C88000
heap
page read and write
malicious
C87000
heap
page read and write
malicious
54F000
remote allocation
page execute and read and write
malicious
C98000
heap
page read and write
malicious
414000
remote allocation
page execute and read and write
malicious
45C4000
trusted library allocation
page read and write
malicious
2D16000
trusted library allocation
page read and write
malicious
24C4304E000
heap
page read and write
53B0000
trusted library allocation
page read and write
2835446C000
heap
page read and write
1E531113000
heap
page read and write