IOC Report
5qJ6QQTcRS.exe

loading gif

Files

File Path
Type
Category
Malicious
5qJ6QQTcRS.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5qJ6QQTcRS.exe.log
ASCII text, with CRLF line terminators
dropped
malicious

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\5qJ6QQTcRS.exe
"C:\Users\user\Desktop\5qJ6QQTcRS.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
malicious

URLs

Name
IP
Malicious
https://www.office.com/
unknown
https://duckduckgo.com/chrome_newtab
unknown
https://duckduckgo.com/ac/?q=
unknown
https://reallyfreegeoip.org/xml/8.46.123.189
104.21.112.1
https://api.telegram.org
unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
unknown
https://api.telegram.org/bot
unknown
https://www.office.com/lB
unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
unknown
http://checkip.dyndns.org
unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=
unknown
https://chrome.google.com/webstore?hl=en
unknown
https://www.ecosia.org/newtab/
unknown
http://varders.kozow.com:8081
unknown
http://aborters.duckdns.org:8081
unknown
https://ac.ecosia.org/autocomplete?q=
unknown
http://checkip.dyndns.org/
158.101.44.242
http://anotherarmy.dns.army:8081
unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2011/01/2025%20/%2010:40:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D
149.154.167.220
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
unknown
http://checkip.dyndns.org/q
unknown
https://chrome.google.com/webstore?hl=enlB
unknown
https://reallyfreegeoip.org/xml/8.46.123.189$
unknown
https://reallyfreegeoip.org
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20a
unknown
https://reallyfreegeoip.org/xml/
unknown
There are 20 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
reallyfreegeoip.org
104.21.112.1
api.telegram.org
149.154.167.220
checkip.dyndns.com
158.101.44.242
checkip.dyndns.org
unknown

IPs

IP
Domain
Country
Malicious
149.154.167.220
api.telegram.org
United Kingdom
104.21.112.1
reallyfreegeoip.org
United States
158.101.44.242
checkip.dyndns.com
United States

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
EnableAutoFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
EnableAutoFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
FileDirectory
There are 5 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
3A2F000
trusted library allocation
page read and write
malicious
5B60000
trusted library section
page read and write
malicious
39A9000
trusted library allocation
page read and write
malicious
2A51000
trusted library allocation
page read and write
malicious
29A1000
trusted library allocation
page read and write
malicious
402000
remote allocation
page execute and read and write
malicious
D90000
unkown
page execute read
2C0A000
trusted library allocation
page read and write
C88000
heap
page read and write
337C000
trusted library allocation
page read and write
3ABB000
trusted library allocation
page read and write
2E82000
trusted library allocation
page read and write
55FE000
stack
page read and write
2B09000
trusted library allocation
page read and write
62FA000
heap
page read and write
3C1C000
trusted library allocation
page read and write
60DE000
stack
page read and write
3C72000
trusted library allocation
page read and write
773D000
stack
page read and write
F84000
heap
page read and write
286E000
stack
page read and write
5590000