IOC Report
PEbZthAqV9.exe

loading gif

Files

File Path
Type
Category
Malicious
PEbZthAqV9.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
 malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PEbZthAqV9.exe.log
ASCII text, with CRLF line terminators
dropped
 malicious
C:\Users\user\AppData\Local\Temp\tmp53D2.tmp
XML 1.0 document, ASCII text
dropped
 malicious
C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
 malicious
C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
 malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\myTuDsvNcebev.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json
JSON data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nntabay.dmq.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4oxii0eg.5dk.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0zpvfr3.jhz.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jyg0glu1.50p.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3vsa3fc.cq5.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxi5tuxz.aqg.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3f2zrq2.ajw.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xs2kztd3.s3t.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\tmp7C97.tmp
XML 1.0 document, ASCII text
dropped
There are 7 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\PEbZthAqV9.exe
"C:\Users\user\Desktop\PEbZthAqV9.exe"
 malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PEbZthAqV9.exe"
 malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
 malicious
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp53D2.tmp"
 malicious
C:\Users\user\Desktop\PEbZthAqV9.exe
"C:\Users\user\Desktop\PEbZthAqV9.exe"
 malicious
C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
 malicious
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myTuDsvNcebev" /XML "C:\Users\user\AppData\Local\Temp\tmp7C97.tmp"
 malicious
C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
"C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
 malicious
C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
"C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
 malicious
C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
"C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
 malicious
C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
"C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
 malicious
C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe
"C:\Users\user\AppData\Roaming\myTuDsvNcebev.exe"
 malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
There are 7 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://www.apache.org/licenses/LICENSE-2.0
unknown
http://www.fontbureau.com
unknown
http://www.fontbureau.com/designersG
unknown
http://www.fontbureau.com/designers/?
unknown
http://www.founder.com.cn/cn/bThe
unknown
http://www.fontbureau.com/designers?
unknown
http://tempuri.org/DataSet1.xsd
unknown
http://www.tiro.com
unknown
http://www.fontbureau.com/designers
unknown
http://geoplugin.net/json.gpsystem32
unknown
http://www.goodfont.co.kr
unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0
unknown
http://www.carterandcone.coml
unknown
http://www.sajatypeworks.com
unknown
http://geoplugin.net/json.gp
178.237.33.50
http://www.typography.netD
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
unknown
http://www.founder.com.cn/cn/cThe
unknown
http://www.galapagosdesign.com/staff/dennis.htm
unknown
http://www.founder.com.cn/cn
unknown
http://www.fontbureau.com/designers/frere-user.html
unknown
http://geoplugin.net/json.gpi5H
unknown
http://geoplugin.net/json.gp/C
unknown
http://www.ascendercorp.com/typedesigners.htmls
unknown
http://www.jiyu-kobo.co.jp/
unknown
http://www.galapagosdesign.com/DPlease
unknown
http://www.fontbureau.com/designers8
unknown
http://www.fonts.com
unknown
http://www.sandoll.co.kr
unknown
http://www.urwpp.deDPlease
unknown
http://www.zhongyicts.com.cn
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
http://www.sakkal.com
unknown
There are 23 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
geoplugin.net
178.237.33.50

IPs

IP
Domain
Country
Malicious
41.216.183.238
unknown
South Africa
malicious
178.237.33.50
geoplugin.net
Netherlands

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Rmc-Y7J88P
exepath
 malicious
HKEY_CURRENT_USER\SOFTWARE\Rmc-Y7J88P
licence
 malicious

Memdumps

Base Address
Regiontype
Protect
Malicious
4883000
trusted library allocation
page read and write
 malicious
124B000
heap
page read and write
 malicious
7410000
trusted library section
page read and write
 malicious
400000
remote allocation
page execute and read and write
 malicious
3D51000
trusted library allocation
page read and write
 malicious
1257000
heap
page read and write
 malicious
547D000
stack
page read and write
75DE000
stack
page read and write
EFE000
stack
page read and write
2D20000
heap
page read and write
610000
heap
page read and write
9DEE000
stack
page read and write
5591000
heap
page read and write
761E000
stack
page read and write
55B7000
heap
page read and write
2C90000
heap
page read and write
2D9F000
stack
page read and write
BD2000
trusted library allocation
page read and write
C54000
heap
page read and write
7530000
trusted library allocation
page read and write
F90000
trusted library allocation
page read and write
A5EE000
stack
page read and write
50A6000
trusted library allocation
page read and write
144F000
stack
page read and write
51F3000
heap
page read and write
2B50000
heap
page read and write
57AE000
stack
page read and write
7C0000
heap
page read and write
55B0000
trusted library allocation
page read and write
C10000
trusted library allocation
page execute and read and write
6DA0000
trusted library allocation
page read and write
2AE0000
trusted library allocation
page read and write
508B000
trusted library allocation
page read and write
10E5000
heap
page read and write
A0EF000
stack
page read and write
DF0000
heap
page read and write
51BB000
stack
page read and write
B90000
trusted library allocation
page read and write
F3E000
stack
page read and write
4C3B000
stack
page read and write
FA7000
trusted library allocation
page execute and read and write
50C0000
trusted library allocation
page read and write
5D70000
heap
page read and write
65E000
unkown
page read and write
FAB000
trusted library allocation
page execute and read and write
2B60000
heap
page execute and read and write
660000
heap
page read and write
1220000
trusted library allocation
page read and write
5670000
heap
page read and write
50B2000
trusted library allocation
page read and write
51F0000
heap
page read and write
840000
heap
page read and write
2D51000
trusted library allocation
page read and write
518A000
trusted library allocation
page read and write
7F610000
trusted library allocation
page execute and read and write
2F70000
heap
page read and write
4B68000
trusted library allocation
page read and write
50F0000
heap
page read and write
8EE000
stack
page read and write
82E000
unkown
page read and write
12B0000
heap
page read and write
FB0000
trusted library allocation
page read and write
3B7E000
trusted library allocation
page read and write
FA2000
trusted library allocation
page read and write
5D0000
unkown
page readonly
36D000
stack
page read and write
11CE000
stack
page read and write
A4B0000
heap
page read and write
3B61000
trusted library allocation
page read and write
128F000
heap
page read and write
51D4000
trusted library section
page readonly
5565000
heap
page read and write
A6EF000
stack
page read and write
4D3C000
stack
page read and write
BAD000
trusted library allocation
page execute and read and write
BA3000
trusted library allocation
page execute and read and write
3DCC000
trusted library allocation
page read and write
7EE000
unkown
page read and write
BA0000
trusted library allocation
page read and write
1250000
heap
page read and write
8F0000
heap
page read and write
3EAC000
trusted library allocation
page read and write
680000
heap
page read and write
1220000
trusted library allocation
page read and write
12C7000
heap
page read and write
A87E000
stack
page read and write
51E0000
heap
page read and write
EFC000
stack
page read and write
11D0000
heap
page read and write
705E000
stack
page read and write
5230000
heap
page read and write
F7D000
trusted library allocation
page execute and read and write
1206000
trusted library allocation
page read and write
475000
remote allocation
page execute and read and write
5D2000
unkown
page readonly
55C5000
heap
page read and write
46E000
remote allocation
page execute and read and write
103F000
heap
page read and write
11EE000
trusted library allocation
page read and write
10A0000
heap
page read and write
A4AD000
stack
page read and write
F60000
trusted library allocation
page read and write
129E000
stack
page read and write
5122000
trusted library allocation
page read and write
AF7000
stack
page read and write
1010000
heap
page read and write
C63000
heap
page read and write
11D4000
trusted library allocation
page read and write
103C000
stack
page read and write
5560000
heap
page read and write
50AD000
trusted library allocation
page read and write
56CE000
stack
page read and write
12AE000
heap
page read and write
471000
remote allocation
page execute and read and write
2B30000
trusted library allocation
page read and write
EEE000
stack
page read and write
F73000
trusted library allocation
page execute and read and write
12B7000
heap
page read and write
5420000
trusted library allocation
page execute and read and write
3C59000
trusted library allocation
page read and write
5599000
heap
page read and write
BE0000
heap
page read and write
11DB000
trusted library allocation
page read and write
C57000
heap
page read and write
9C6E000
stack
page read and write
5780000
trusted library allocation
page read and write
7452000
heap
page read and write
1247000
heap
page read and write
5084000
trusted library allocation
page read and write
CE0000
heap
page read and write
A3BF000
stack
page read and write
9DAE000
stack
page read and write
2E9F000
stack
page read and write
5233000
heap
page read and write
3DD9000
trusted library allocation
page read and write
12B9000
heap
page read and write
9A0000
heap
page read and write
2A90000
trusted library allocation
page read and write
11F6000
trusted library allocation
page read and write
BE2000
trusted library allocation
page read and write
1250000
heap
page execute and read and write
7930000
trusted library section
page read and write
A22F000
stack
page read and write
477D000
trusted library allocation
page read and write
A83E000
stack
page read and write
121E000
stack
page read and write
11CE000
stack
page read and write
8A0000
heap
page read and write
56D0000
trusted library allocation
page read and write
1210000
trusted library allocation
page read and write
F70000
heap
page read and write
A26E000
stack
page read and write
55C0000
heap
page read and write
2B40000
trusted library section
page readonly
B3D000
stack
page read and write
7AEE000
stack
page read and write
9EEE000
stack
page read and write
5120000
trusted library allocation
page read and write
729E000
stack
page read and write
5080000
trusted library allocation
page read and write
1200000
trusted library allocation
page read and write
7F150000
trusted library allocation
page execute and read and write
7430000
heap
page read and write
7580000
trusted library allocation
page read and write
C28000
heap
page read and write
5580000
heap
page read and write
92A000
stack
page read and write
51F0000
heap
page read and write
68B000
heap
page read and write
1240000
heap
page read and write
11F0000
trusted library allocation
page read and write
BD0000
trusted library allocation
page read and write
2D30000
trusted library allocation
page execute and read and write
9F2D000
stack
page read and write
2B00000
trusted library allocation
page read and write
7469000
heap
page read and write
C00000
trusted library allocation
page read and write
7450000
heap
page read and write
BD6000
trusted library allocation
page execute and read and write
830000
heap
page read and write
BB0000
heap
page read and write
11D0000
trusted library allocation
page read and write
29F8000
trusted library allocation
page read and write
BE7000
trusted library allocation
page execute and read and write
1237000
heap
page read and write
F6B000
stack
page read and write
6DC2000
trusted library allocation
page read and write
BDA000
trusted library allocation
page execute and read and write
F74000
trusted library allocation
page read and write
FD8000
heap
page read and write
11E0000
trusted library allocation
page execute and read and write
A8E0000
trusted library allocation
page execute and read and write
6E60000
heap
page read and write
1230000
heap
page read and write
BA4000
trusted library allocation
page read and write
AD5E000
stack
page read and write
5140000
trusted library allocation
page read and write
BB5000
heap
page read and write
B7E000
stack
page read and write
748A000
heap
page read and write
C61000
heap
page read and write
7598000
trusted library allocation
page read and write
574E000
stack
page read and write
F8D000
trusted library allocation
page execute and read and write
2B61000
trusted library allocation
page read and write
A02D000
stack
page read and write
51CC000
stack
page read and write
14FE000
stack
page read and write
57EE000
stack
page read and write
A2BE000
stack
page read and write
A030000
heap
page read and write
75A000
stack
page read and write
C47000
heap
page read and write
379F000
stack
page read and write
BCD000
trusted library allocation
page execute and read and write
2D98000
trusted library allocation
page read and write
F92000
trusted library allocation
page read and write
CF7000
stack
page read and write
A12E000
stack
page read and write
BC0000
trusted library allocation
page read and write
9EE000
stack
page read and write
C2E000
heap
page read and write
1220000
heap
page read and write
5220000
trusted library allocation
page read and write
1012000
heap
page read and write
51D0000
trusted library section
page readonly
6D0000
heap
page read and write
AC5E000
stack
page read and write
1180000
heap
page read and write
2AE2000
trusted library allocation
page read and write
F2E000
stack
page read and write
471000
remote allocation
page execute and read and write
A79E000
stack
page read and write
69C000
heap
page read and write
5110000
heap
page read and write
1235000
trusted library allocation
page read and write
113C000
stack
page read and write
A69E000
stack
page read and write
8CF000
stack
page read and write
5570000
heap
page read and write
3AA000
stack
page read and write
990000
heap
page read and write
670000
heap
page read and write
A8DF000
stack
page read and write
63D000
stack
page read and write
1100000
heap
page read and write
A17E000
stack
page read and write
A73D000
stack
page read and write
12C2000
heap
page read and write
512B000
trusted library allocation
page read and write
F9A000
trusted library allocation
page execute and read and write
10E0000
heap
page read and write
11D0000
trusted library allocation
page read and write
5797000
trusted library allocation
page read and write
743C000
heap
page read and write
5410000
heap
page read and write
8F7000
heap
page read and write
AB1C000
stack
page read and write
AD60000
trusted library allocation
page execute and read and write
1240000
trusted library allocation
page read and write
764F000
stack
page read and write
7540000
trusted library allocation
page execute and read and write
A97E000
stack
page read and write
1202000
trusted library allocation
page read and write
FDE000
heap
page read and write
88E000
stack
page read and write
92F000
stack
page read and write
5180000
trusted library allocation
page read and write
2B5E000
stack
page read and write
100E000
stack
page read and write
369E000
stack
page read and write
DD0000
heap
page read and write
52C0000
trusted library allocation
page execute and read and write
2C7C000
stack
page read and write
FD0000
heap
page read and write
5130000
trusted library allocation
page execute and read and write
5790000
trusted library allocation
page read and write
5700000
trusted library allocation
page execute and read and write
A3AE000
stack
page read and write
F90000
trusted library allocation
page read and write
56F0000
trusted library allocation
page read and write
A27E000
stack
page read and write
11CE000
stack
page read and write
DF5000
heap
page read and write
9CAE000
stack
page read and write
F96000
trusted library allocation
page execute and read and write
56E0000
trusted library allocation
page execute and read and write
50A1000
trusted library allocation
page read and write
C67000
heap
page read and write
15FE000
stack
page read and write
3C79000
trusted library allocation
page read and write
1086000
heap
page read and write
52D0000
trusted library allocation
page read and write
1204000
trusted library allocation
page read and write
4693000
trusted library allocation
page read and write
67A000
stack
page read and write
A55C000
stack
page read and write
1230000
trusted library allocation
page read and write
509E000
trusted library allocation
page read and write
FC0000
heap
page read and write
7D0000
heap
page read and write
C20000
heap
page read and write
10CF000
stack
page read and write
715E000
stack
page read and write
3E93000
trusted library allocation
page read and write
A70000
heap
page read and write
109D000
stack
page read and write
FB0000
heap
page read and write
2B70000
heap
page read and write
2BA8000
trusted library allocation
page read and write
11F1000
trusted library allocation
page read and write
3B93000
trusted library allocation
page read and write
BF0000
heap
page read and write
5D60000
heap
page read and write
740E000
stack
page read and write
11FD000
trusted library allocation
page read and write
4708000
trusted library allocation
page read and write
A65C000
stack
page read and write
B7C000
stack
page read and write
FA0000
trusted library allocation
page read and write
1005000
heap
page read and write
F80000
trusted library allocation
page read and write
7499000
heap
page read and write
AC1C000
stack
page read and write
88F000
unkown
page read and write
F70000
trusted library allocation
page read and write
5170000
heap
page execute and read and write
2AF0000
trusted library allocation
page execute and read and write
2AD0000
heap
page read and write
A7DE000
stack
page read and write
BEB000
trusted library allocation
page execute and read and write
1215000
trusted library allocation
page read and write
9B6E000
stack
page read and write
A36F000
stack
page read and write
122E000
stack
page read and write
3E69000
trusted library allocation
page read and write
7590000
trusted library allocation
page read and write
1210000
heap
page read and write
FF7000
heap
page read and write
10F0000
heap
page read and write
3CBE000
trusted library allocation
page read and write
2D40000
heap
page execute and read and write
There are 332 hidden memdumps, click here to show them.