Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
1d0000.MSBuild.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
||
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1d0000.MSBuild.exe.log
|
CSV text
|
dropped
|
||
C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe
|
HTML document, Unicode text, UTF-8 text, with very long lines (18675), with no line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkzaqcga.nqy.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhpu5wea.rea.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QUF1NVVHW3OTUB5EOR5A.temp
|
data
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\1d0000.MSBuild.exe
|
"C:\Users\user\Desktop\1d0000.MSBuild.exe"
|
||
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.46.123.33&BSSID=d79588bde78585112204631caa39ca2b&wallets=0&token=xehook208828913883887&ext=0&filters=0&pcname=579569&cardsc=0&telegram=False&discord=False&steam=False&domaindetect=
|
65.109.218.88
|
||
http://65.109.218.88/
|
65.109.218.88
|
||
https://duckduckgo.com/chrome_newtab
|
unknown
|
||
https://duckduckgo.com/ac/?q=
|
unknown
|
||
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
|
unknown
|
||
https://yandex.com/support/smart-captcha/problems.html?form-unique_key=225b0967-11df21d1-b52d8c2e-3d
|
unknown
|
||
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
|
unknown
|
||
http://upx.sf.net
|
unknown
|
||
http://65.109.218.88
|
unknown
|
||
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
|
unknown
|
||
https://www.ecosia.org/newtab/
|
unknown
|
||
https://disk.yandex.com/showcaptcha?cc=1&mt=1B9EC1EB36A05FF151D32C1291C255F1500AFCBC8AB90758085DF922
|
unknown
|
||
https://ac.ecosia.org/autocomplete?q=
|
unknown
|
||
https://yandex.com/support/common/browsers-settings/browsers-java-js-settings.html
|
unknown
|
||
https://yastatic.net/s3/home-static/_/90/9034470dfcb0bea0db29a281007b8a38.png
|
unknown
|
||
https://disk.yandex.com/d/hBX5q37QQyYzxw
|
87.250.250.50
|
||
https://disk.yandex.com(
|
unknown
|
||
http://disk.yandex.com
|
unknown
|
||
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
|
unknown
|
||
https://disk.yandex.com
|
unknown
|
||
http://ip-api.com/json/?fields=11827
|
208.95.112.1
|
||
http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.
|
unknown
|
||
http://ip-api.com
|
unknown
|
||
http://65.109.218.88/getloader.php?id=208
|
unknown
|
||
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
https://t.me/+w897k5UK_jIyNDgy
|
149.154.167.99
|
||
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
|
unknown
|
||
http://ip-api.com/line/?fields=hosting
|
unknown
|
There are 18 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
disk.yandex.com
|
87.250.250.50
|
||
t.me
|
149.154.167.99
|
||
ip-api.com
|
208.95.112.1
|
||
fp2e7a.wpc.phicdn.net
|
192.229.221.95
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
65.109.218.88
|
unknown
|
United States
|
||
208.95.112.1
|
ip-api.com
|
United States
|
||
87.250.250.50
|
disk.yandex.com
|
Russian Federation
|
||
149.154.167.99
|
t.me
|
United Kingdom
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
|
EnableFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
|
EnableAutoFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
|
EnableConsoleTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
|
FileTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
|
ConsoleTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
|
MaxFileSize
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
|
FileDirectory
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
|
EnableFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
|
EnableAutoFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
|
EnableConsoleTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
|
FileTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
|
ConsoleTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
|
MaxFileSize
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
1C2541E2000
|
unkown
|
page readonly
|
||
1C255E70000
|
trusted library allocation
|
page read and write
|
||
1C255FB5000
|
trusted library allocation
|
page read and write
|
||
8987EFE000
|
stack
|
page read and write
|
||
1C2541E0000
|
unkown
|
page readonly
|
||
8986FAE000
|
stack
|
page read and write
|
||
1C26E699000
|
heap
|
page read and write
|
||
8987CFE000
|
stack
|
page read and write
|
||
1C255E4A000
|
trusted library allocation
|
page read and write
|
||
1C26E6CE000
|
heap
|
page read and write
|
||
1C26E6A9000
|
heap
|
page read and write
|
||
1C256208000
|
trusted library allocation
|
page read and write
|
||
1C255EF7000
|
trusted library allocation
|
page read and write
|
||
1C255E01000
|
trusted library allocation
|
page read and write
|
||
1C26E64F000
|
heap
|
page read and write
|
||
1C2543D0000
|
heap
|
page read and write
|
||
1C26EF34000
|
heap
|
page read and write
|