Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
5qJ6QQTcRS.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
||
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5qJ6QQTcRS.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\5qJ6QQTcRS.exe
|
"C:\Users\user\Desktop\5qJ6QQTcRS.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
https://www.office.com/
|
unknown
|
||
https://duckduckgo.com/chrome_newtab
|
unknown
|
||
https://duckduckgo.com/ac/?q=
|
unknown
|
||
https://reallyfreegeoip.org/xml/8.46.123.189
|
104.21.112.1
|
||
https://api.telegram.org
|
unknown
|
||
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
|
unknown
|
||
https://api.telegram.org/bot
|
unknown
|
||
https://www.office.com/lB
|
unknown
|
||
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
|
unknown
|
||
http://checkip.dyndns.org
|
unknown
|
||
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
|
unknown
|
||
https://api.telegram.org/bot/sendMessage?chat_id=&text=
|
unknown
|
||
https://chrome.google.com/webstore?hl=en
|
unknown
|
||
https://www.ecosia.org/newtab/
|
unknown
|
||
http://varders.kozow.com:8081
|
unknown
|
||
http://aborters.duckdns.org:8081
|
unknown
|
||
https://ac.ecosia.org/autocomplete?q=
|
unknown
|
||
http://checkip.dyndns.org/
|
158.101.44.242
|
||
http://anotherarmy.dns.army:8081
|
unknown
|
||
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2011/01/2025%20/%2010:40:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D
|
149.154.167.220
|
||
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
|
unknown
|
||
http://checkip.dyndns.org/q
|
unknown
|
||
https://chrome.google.com/webstore?hl=enlB
|
unknown
|
||
https://reallyfreegeoip.org/xml/8.46.123.189$
|
unknown
|
||
https://reallyfreegeoip.org
|
unknown
|
||
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
|
unknown
|
||
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
|
unknown
|
||
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20a
|
unknown
|
||
https://reallyfreegeoip.org/xml/
|
unknown
|
There are 20 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
reallyfreegeoip.org
|
104.21.112.1
|
||
api.telegram.org
|
149.154.167.220
|
||
checkip.dyndns.com
|
158.101.44.242
|
||
checkip.dyndns.org
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
149.154.167.220
|
api.telegram.org
|
United Kingdom
|
||
104.21.112.1
|
reallyfreegeoip.org
|
United States
|
||
158.101.44.242
|
checkip.dyndns.com
|
United States
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
|
EnableConsoleTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
|
EnableFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
|
EnableAutoFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
|
EnableConsoleTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
|
FileTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
|
ConsoleTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
|
MaxFileSize
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32
|
FileDirectory
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
|
EnableFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
|
EnableAutoFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
|
EnableConsoleTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
|
FileTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
|
ConsoleTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
|
MaxFileSize
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS
|
FileDirectory
|
There are 5 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
3A2F000
|
trusted library allocation
|
page read and write
|
||
5B60000
|
trusted library section
|
page read and write
|
||
39A9000
|
trusted library allocation
|
page read and write
|
||
2A51000
|
trusted library allocation
|
page read and write
|
||
29A1000
|
trusted library allocation
|
page read and write
|
||
402000
|
remote allocation
|
page execute and read and write
|
||
D90000
|
unkown
|
page execute read
|
||
2C0A000
|
trusted library allocation
|
page read and write
|
||
C88000
|
heap
|
page read and write
|
||
337C000
|
trusted library allocation
|
page read and write
|
||
3ABB000
|
trusted library allocation
|
page read and write
|
||
2E82000
|
trusted library allocation
|
page read and write
|
||
55FE000
|
stack
|
page read and write
|
||
2B09000
|
trusted library allocation
|
page read and write
|
||
62FA000
|
heap
|
page read and write
|
||
3C1C000
|
trusted library allocation
|
page read and write
|
||
60DE000
|
stack
|
page read and write
|
||
3C72000
|
trusted library allocation
|
page read and write
|
||
773D000
|
stack
|
page read and write
|
||
F84000
|
heap
|
page read and write
|
||
286E000
|
stack
|
page read and write
|
||
5590000
|