IOC Report
SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe

loading gif

Files

File Path
Type
Category
Malicious
SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\tmpD46C.tmp
XML 1.0 document, ASCII text
dropped
malicious
C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tXBTtgndxsp.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fuehawq.v5v.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfcc231m.bdy.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0af0yr3.l2b.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5t5ijhw.djf.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\tmpE610.tmp
XML 1.0 document, ASCII text
dropped
C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
There are 2 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"
malicious
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp"
malicious
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe"
malicious
C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpE610.tmp"
malicious
C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
"C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
There are 2 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://api.ipify.org/
104.26.12.205
https://api.ipify.org
unknown
https://sectigo.com/CPS0
unknown
https://account.dyn.com/
unknown
https://api.ipify.org/t
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0
unknown
http://ocsp.comodo
unknown
http://nl9.nlkoddos.com
unknown

Domains

Name
IP
Malicious
nl9.nlkoddos.com
89.249.49.141
malicious
api.ipify.org
104.26.12.205
time.windows.com
unknown

IPs

IP
Domain
Country
Malicious
89.249.49.141
nl9.nlkoddos.com
Russian Federation
malicious
104.26.12.205
api.ipify.org
United States

Registry

Path