IOC Report
1d0000.MSBuild.exe

loading gif

Files

File Path
Type
Category
Malicious
1d0000.MSBuild.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1d0000.MSBuild.exe.log
CSV text
dropped
malicious
C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe
HTML document, Unicode text, UTF-8 text, with very long lines (18675), with no line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkzaqcga.nqy.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhpu5wea.rea.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QUF1NVVHW3OTUB5EOR5A.temp
data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\1d0000.MSBuild.exe
"C:\Users\user\Desktop\1d0000.MSBuild.exe"
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name
IP
Malicious
http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.46.123.33&BSSID=d79588bde78585112204631caa39ca2b&wallets=0&token=xehook208828913883887&ext=0&filters=0&pcname=579569&cardsc=0&telegram=False&discord=False&steam=False&domaindetect=
65.109.218.88
malicious
http://65.109.218.88/
65.109.218.88
malicious
https://duckduckgo.com/chrome_newtab
unknown
https://duckduckgo.com/ac/?q=
unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
unknown
https://yandex.com/support/smart-captcha/problems.html?form-unique_key=225b0967-11df21d1-b52d8c2e-3d
unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
unknown
http://upx.sf.net
unknown
http://65.109.218.88
unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
unknown
https://www.ecosia.org/newtab/
unknown
https://disk.yandex.com/showcaptcha?cc=1&mt=1B9EC1EB36A05FF151D32C1291C255F1500AFCBC8AB90758085DF922
unknown
https://ac.ecosia.org/autocomplete?q=
unknown
https://yandex.com/support/common/browsers-settings/browsers-java-js-settings.html
unknown
https://yastatic.net/s3/home-static/_/90/9034470dfcb0bea0db29a281007b8a38.png
unknown
https://disk.yandex.com/d/hBX5q37QQyYzxw
87.250.250.50
https://disk.yandex.com(
unknown
http://disk.yandex.com
unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
unknown
https://disk.yandex.com
unknown
http://ip-api.com/json/?fields=11827
208.95.112.1
http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.
unknown
http://ip-api.com
unknown
http://65.109.218.88/getloader.php?id=208
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://t.me/+w897k5UK_jIyNDgy
149.154.167.99
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
unknown
http://ip-api.com/line/?fields=hosting
unknown
There are 18 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
disk.yandex.com
87.250.250.50
t.me
149.154.167.99
ip-api.com
208.95.112.1
fp2e7a.wpc.phicdn.net
192.229.221.95

IPs

IP
Domain
Country
Malicious
65.109.218.88
unknown
United States
malicious
208.95.112.1
ip-api.com
United States
87.250.250.50
disk.yandex.com
Russian Federation
149.154.167.99
t.me
United Kingdom

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
EnableAutoFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32
FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
EnableAutoFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS
FileDirectory
There are 4 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
1C2541E2000
unkown
page readonly
malicious
1C255E70000
trusted library allocation
page read and write
malicious
1C255FB5000
trusted library allocation
page read and write
8987EFE000
stack
page read and write
1C2541E0000
unkown
page readonly
8986FAE000
stack
page read and write
1C26E699000
heap
page read and write
8987CFE000
stack
page read and write
1C255E4A000
trusted library allocation
page read and write
1C26E6CE000
heap
page read and write
1C26E6A9000
heap
page read and write
1C256208000
trusted library allocation
page read and write
1C255EF7000
trusted library allocation
page read and write
1C255E01000
trusted library allocation
page read and write
1C26E64F000
heap
page read and write
1C2543D0000
heap
page read and write
1C26EF34000
heap
page read and write