Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
xbOnlYALvtUq.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
 |
|
|
\Device\ConDrv
|
ASCII text, with CRLF line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\xbOnlYALvtUq.exe
|
C:\Users\user\Desktop\xbOnlYALvtUq.exe
|
|
|
|
C:\Windows\SysWOW64\netsh.exe
|
netsh firewall add allowedprogram "C:\Users\user\Desktop\xbOnlYALvtUq.exe" "xbOnlYALvtUq.exe" ENABLE
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
0.tcp.sa.ngrok.io
|
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
0.tcp.sa.ngrok.io
|
18.228.115.60
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
18.228.115.60
|
0.tcp.sa.ngrok.io
|
United States
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER
|
di
|
||
|
HKEY_CURRENT_USER\Environment
|
SEE_MASK_NOZONECHECKS
|
||
|
HKEY_CURRENT_USER\SOFTWARE\5bfe00b9b88f2456727afb4cd20491af
|
[kl]
|
||
|
HKEY_CURRENT_USER\SOFTWARE\5bfe00b9b88f2456727afb4cd20491af
|
3fc6b884fbc29ec00482827c26669b2b
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7A2000
|
unkown
|
page readonly
|
|
|
|
59B0000
|
trusted library section
|
page read and write
|
|
|
|
2E11000
|
trusted library allocation
|
page read and write
|
|
|
|
10B2000
|
trusted library allocation
|
page execute and read and write
|
||
|
D0B000
|
heap
|
page read and write
|
||
|
56A0000
|
heap
|
page read and write
|
||
|
D3F000
|
heap
|
page read and write
|
||
|
D1F000
|
heap
|
page read and write
|
||
|
D03000
|
heap
|
page read and write
|
||
|
D3F000
|
heap
|
page read and write
|
||
|
51CD000
|
heap
|
page read and write
|
||
|
CD1000
|
heap
|
page read and write
|
||
|
688AA000
|
heap
|
page read and write
|
||
|
D23000
|
heap
|
page read and write
|
||
|
67B0000
|
heap
|
page read and write
|
||
|
D36000
|
heap
|
page read and write
|
||
|
D0A000
|
heap
|
page read and write
|
||
|
D81000
|
heap
|
page read and write
|
||
|
2EB2000
|
trusted library allocation
|
page read and write
|
||
|
18608000
|
heap
|
page read and write
|
||
|
5170000
|
unclassified section
|
page read and write
|
||
|
CC4000
|
heap
|
page read and write
|
||
|
1884C000
|
heap
|
page read and write
|
||
|
34923000
|
heap
|
page read and write
|
||
|
F30000
|
heap
|
page read and write
|
||
|
D3A000
|
heap
|
page read and write
|
||
|
D87000
|
heap
|
page read and write
|
||
|
CFA000
|
heap
|
page read and write
|
||
|
DA3000
|
heap
|
page read and write
|
||
|
D52000
|
heap
|
page read and write
|
||
|
504C000
|
stack
|
page read and write
|
||
|
D22000
|
heap
|
page read and write
|
||
|
D23000
|
heap
|
page read and write
|
||
|
D0B000
|
heap
|
page read and write
|
||
|
D35000
|
heap
|
page read and write
|
||
|
D34000
|
heap
|
page read and write
|
||
|
1070000
|
trusted library allocation
|
page read and write
|
||
|
59D0000
|
trusted library allocation
|
page execute and read and write
|
||
|
B70000
|
unclassified section
|
page readonly
|
||
|
5000000
|
heap
|
page read and write
|
||
|
D3F000
|
heap
|
page read and write
|
||
|
D1D000
|
heap
|
page read and write
|
||
|
D31000
|
heap
|
page read and write
|
||
|
34695000
|
heap
|
page read and write
|
||
|
D2C000
|
heap
|
page read and write
|
||
|
D3B000
|
heap
|
page read and write
|
||
|
595D000
|
stack
|
page read and write
|
||
|
DBE000
|
heap
|
page read and write
|
||
|
6C61000
|
heap
|
page read and write
|
||
|
5B2D000
|
stack
|
page read and write
|
||
|
55F0000
|
heap
|
page read and write
|
||
|
2E88000
|
trusted library allocation
|
page read and write
|
||
|
CFD000
|
heap
|
page read and write
|
||
|
D0A000
|
heap
|
page read and write
|
||
|
34868000
|
heap
|
page read and write
|
||
|
E2E000
|
stack
|
page read and write
|
||
|
D91000
|
heap
|
page read and write
|
||
|
D33000
|
heap
|
page read and write
|
||
|
D38000
|
heap
|
page read and write
|
||
|
51CD000
|
heap
|
page read and write
|
||
|
D35000
|
heap
|
page read and write
|
||
|
585B000
|
stack
|
page read and write
|
||
|
D52000
|
heap
|
page read and write
|
||
|
BC0000
|
heap
|
page read and write
|
||
|
189AF000
|
heap
|
page read and write
|
||
|
AEE000
|
unkown
|
page read and write
|
||
|
18814000
|
heap
|
page read and write
|
||
|
CB0000
|
heap
|
page read and write
|
||
|
CF0000
|
heap
|
page read and write
|
||
|
D06000
|
heap
|
page read and write
|
||
|
FF6000
|
heap
|
page read and write
|
||
|
CFF000
|
heap
|
page read and write
|
||
|
4AA0000
|
heap
|
page read and write
|