Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
file.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_9fe2b44b45cabaf5e9b80eb2becdba8923fcbda_d2f759d2_2d8cec74-354d-460a-95ad-bf7884ef09de\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\ECGDBFCBKFID\AEBGHD
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
dropped
|
||
|
C:\ProgramData\ECGDBFCBKFID\BAEHIE
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
||
|
C:\ProgramData\ECGDBFCBKFID\CBKFBA
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\ECGDBFCBKFID\DBGHJE
|
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
dropped
|
||
|
C:\ProgramData\ECGDBFCBKFID\DGHIDH
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
modified
|
||
|
C:\ProgramData\ECGDBFCBKFID\GDBFHD
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
dropped
|
||
|
C:\ProgramData\ECGDBFCBKFID\KKEHDB
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCA4.tmp.dmp
|
Mini DuMP crash report, 14 streams, Wed Jun 19 12:39:59 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD31.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD52.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
|
Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks,
0x1 compression
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 6 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\file.exe
|
"C:\Users\user\Desktop\file.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 336
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://t.me/
|
unknown
|
|
|
|
https://t.me/memve4erin
|
149.154.167.99
|
|
|
|
https://t.me/m
|
unknown
|
|
|
|
https://steamcommunity.com/profiles/76561199699680841
|
|
||
|
https://duckduckgo.com/chrome_newtab
|
unknown
|
||
|
https://162.55.53.18:9000FID
|
unknown
|
||
|
https://162.55.53.18:9000/softokn3.dllEdge
|
unknown
|
||
|
https://162.55.53.18:9000/A
|
unknown
|
||
|
https://duckduckgo.com/ac/?q=
|
unknown
|
||
|
https://162.55.53.18:9000/B
|
unknown
|
||
|
https://web.telegram.org
|
unknown
|
||
|
https://162.55.53.18:9000/softokn3.dll10.15;
|
unknown
|
||
|
https://162.55.53.18:9000/freebl3.dllu
|
unknown
|
||
|
https://162.55.53.18:9000/sqlt.dll
|
unknown
|
||
|
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
|
unknown
|
||
|
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
|
unknown
|
||
|
https://162.55.53.18:9000646ff6le
|
unknown
|
||
|
https://162.55.53.18:9000/46ff6le
|
unknown
|
||
|
https://162.55.53.18:9000/msvcp140.dll
|
unknown
|
||
|
https://162.55.53.18:9000/tm
|
unknown
|
||
|
https://162.55.53.18:9000/softokn3.dll
|
unknown
|
||
|
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
|
unknown
|
||
|
https://162.55.53.18:9000/msvcp140.dllEdge
|
unknown
|
||
|
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
|
unknown
|
||
|
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
|
unknown
|
||
|
https://t.me/memve4erin&
|
unknown
|
||
|
https://162.55.53.18:9000/vcruntime140.dllUser
|
unknown
|
||
|
https://162.55.53.18:9000/p
|
unknown
|
||
|
https://162.55.53.18:9000/MH
|
unknown
|
||
|
https://162.55.53.18:9000/l
|
unknown
|
||
|
http://www.sqlite.org/copyright.html.
|
unknown
|
||
|
https://162.55.53.18:9000/freebl3.dllsposition:
|
unknown
|
||
|
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
|
unknown
|
||
|
https://162.55.53.18:9000/bW
|
unknown
|
||
|
https://162.55.53.18:9000/vcruntime140.dlle
|
unknown
|
||
|
https://162.55.53.18:9000/
|
unknown
|
||
|
https://162.55.53.18:9000/sqlt.dllB
|
unknown
|
||
|
https://162.55.53.18:9000al
|
unknown
|
||
|
https://162.55.53.18:9000/ZG
|
unknown
|
||
|
https://162.55.53.18:9000tel
|
unknown
|
||
|
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
https://162.55.53.18:9000/nss3.dlloft
|
unknown
|
||
|
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
|
unknown
|
||
|
https://162.55.53.18:9000ming
|
unknown
|
||
|
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
|
unknown
|
||
|
https://www.ecosia.org/newtab/
|
unknown
|
||
|
https://162.55.53.18:9000/vcruntime140.dll
|
unknown
|
||
|
https://ac.ecosia.org/autocomplete?q=
|
unknown
|
||
|
https://162.55.53.18:9000/Zm
|
unknown
|
||
|
https://162.55.53.18:9000nbfoldnt-Disposition:
|
unknown
|
||
|
https://162.55.53.18:9000/$
|
unknown
|
||
|
https://162.55.53.18:9000/vcruntime140.dllA
|
unknown
|
||
|
https://162.55.53.18:9000/freebl3.dll
|
unknown
|
||
|
https://162.55.53.18:9000/cG4
|
unknown
|
||
|
https://162.55.53.18:9000/vcruntime140.dllppet
|
unknown
|
||
|
https://162.55.53.18:9000/nss3.dllJ
|
unknown
|
||
|
https://162.55.53.18:9000
|
unknown
|
||
|
https://162.55.53.18:9000/softokn3.dll2
|
unknown
|
||
|
https://162.55.53.18:90001234567890hrome
|
unknown
|
||
|
https://162.55.53.18:9000/nss3.dll
|
unknown
|
||
|
https://162.55.53.18:9000/4
|
unknown
|
||
|
https://162.55.53.18/
|
unknown
|
||
|
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
|
unknown
|
||
|
https://162.55.53.18:9000/freebl3.dll~
|
unknown
|
||
|
https://162.55.53.18:9000/mozglue.dll
|
unknown
|
||
|
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
|
unknown
|
||
|
https://162.55.53.18:9000/.53.18:9000/
|
unknown
|
||
|
https://162.55.53.18:9000tacrosoft
|
unknown
|
There are 59 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
t.me
|
149.154.167.99
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
149.154.167.99
|
t.me
|
United Kingdom
|
|
|
|
162.55.53.18
|
unknown
|
United States
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
ProgramId
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
FileId
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
LowerCaseLongPath
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
LongPathHash
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
Name
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
OriginalFileName
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
Publisher
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
Version
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
BinFileVersion
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
BinaryType
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
ProductName
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
ProductVersion
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
LinkDate
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
BinProductVersion
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
AppxPackageFullName
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
AppxPackageRelativeId
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
Size
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
Language
|
|
|
|
\REGISTRY\A\{1e5c0749-5a67-aa6e-2372-2b3b37a60da2}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
|
Usn
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
ClockTimeSeconds
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
TickCount
|
There are 11 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
453000
|
remote allocation
|
page execute and read and write
|
|
|
|
400000
|
remote allocation
|
page execute and read and write
|
|
|
|
100A000
|
unkown
|
page read and write
|
|
|
|
1B5DD000
|
direct allocation
|
page execute read
|
||
|
1041000
|
unkown
|
page readonly
|
||
|
1041000
|
unkown
|
page readonly
|
||
|
1503F000
|
stack
|
page read and write
|
||
|
1B5E8000
|
direct allocation
|
page readonly
|
||
|
162A000
|
heap
|
page read and write
|
||
|
356E000
|
stack
|
page read and write
|
||
|
E14F000
|
stack
|
page read and write
|
||
|
F70000
|
heap
|
page read and write
|
||
|
1510000
|
direct allocation
|
page execute and read and write
|
||
|
31BE000
|
stack
|
page read and write
|
||
|
C00000
|
heap
|
page read and write
|
||
|
1073D000
|
stack
|
page read and write
|
||
|
10E2000
|
heap
|
page read and write
|
||
|
106ED000
|
stack
|
page read and write
|
||
|
12BFE000
|
stack
|
page read and write
|
||
|
1640000
|
heap
|
page read and write
|
||
|
48E000
|
remote allocation
|
page execute and read and write
|
||
|
1B536000
|
direct allocation
|
page execute read
|
||
|
1570000
|
heap
|
page read and write
|
||
|
1009000
|
heap
|
page read and write
|
||
|
1B61F000
|
direct allocation
|
page readonly
|
||
|
89C000
|
stack
|
page read and write
|
||
|
DFEE000
|
stack
|
page read and write
|
||
|
1194000
|
heap
|
page read and write
|
||
|
1150000
|
heap
|
page read and write
|
||
|
15050000
|
heap
|
page read and write
|
||
|
10BD000
|
heap
|
page read and write
|
||
|
BBAC000
|
stack
|
page read and write
|
||
|
352E000
|
stack
|
page read and write
|
||
|
1B3D8000
|
direct allocation
|
page execute read
|
||
|
15674000
|
heap
|
page read and write
|
||
|
993000
|
stack
|
page read and write
|
||
|
FD0000
|
unkown
|
page readonly
|
||
|
1160000
|
heap
|
page read and write
|
||
|
1643000
|
heap
|
page read and write
|
||
|
D50000
|
heap
|
page read and write
|
||
|
E04E000
|
stack
|
page read and write
|
||
|
10A8000
|
heap
|
page read and write
|
||
|
99E000
|
stack
|
page read and write
|
||
|
4D5000
|
remote allocation
|
page execute and read and write
|
||
|
4B6000
|
remote allocation
|
page execute and read and write
|
||
|
10CF000
|
heap
|
page read and write
|
||
|
D90000
|
heap
|
page read and write
|
||
|
11AE000
|
stack
|
page read and write
|
||
|
E2AE000
|
stack
|
page read and write
|
||
|
FFE000
|
unkown
|
page readonly
|
||
|
491000
|
remote allocation
|
page execute and read and write
|
||
|
62F000
|
remote allocation
|
page execute and read and write
|
||
|
10B7000
|
heap
|
page read and write
|
||
|
FD1000
|
heap
|
page read and write
|
||
|
114D000
|
stack
|
page read and write
|
||
|
104F000
|
heap
|
page read and write
|
||
|
15057000
|
heap
|
page read and write
|
||
|
3595000
|
heap
|
page read and write
|
||
|
1B61A000
|
direct allocation
|
page readonly
|
||
|
1B61D000
|
direct allocation
|
page readonly
|
||
|
1B3D0000
|
direct allocation
|
page execute and read and write
|
||
|
155AF000
|
heap
|
page read and write
|
||
|
1B612000
|
direct allocation
|
page read and write
|
||
|
FD0000
|
unkown
|
page readonly
|
||
|
12B7D000
|
stack
|
page read and write
|
||
|
FFE000
|
unkown
|
page readonly
|
||
|
152FF000
|
heap
|
page read and write
|
||
|
181F000
|
stack
|
page read and write
|
||
|
56E000
|
remote allocation
|
page execute and read and write
|
||
|
1546F000
|
heap
|
page read and write
|
||
|
162E000
|
heap
|
page read and write
|
||
|
497000
|
remote allocation
|
page execute and read and write
|
||
|
11EE000
|
stack
|
page read and write
|
||
|
1040000
|
unkown
|
page write copy
|
||
|
15054000
|
heap
|
page read and write
|
||
|
FF2000
|
heap
|
page read and write
|
||
|
100A000
|
unkown
|
page write copy
|
||
|
151EC000
|
stack
|
page read and write
|
||
|
152EC000
|
stack
|
page read and write
|
||
|
1B5DF000
|
direct allocation
|
page readonly
|
||
|
D95000
|
heap
|
page read and write
|
||
|
CE0000
|
heap
|
page read and write
|
||
|
155CD000
|
heap
|
page read and write
|
||
|
3270000
|
heap
|
page read and write
|
||
|
15468000
|
heap
|
page read and write
|
||
|
E160000
|
heap
|
page read and write
|
||
|
FD1000
|
unkown
|
page execute read
|
||
|
103D000
|
unkown
|
page read and write
|
||
|
15676000
|
heap
|
page read and write
|
||
|
F7A000
|
heap
|
page read and write
|
||
|
11ED000
|
heap
|
page read and write
|
||
|
1620000
|
heap
|
page read and write
|
||
|
640000
|
remote allocation
|
page execute and read and write
|
||
|
1053000
|
heap
|
page read and write
|
||
|
33EE000
|
stack
|
page read and write
|
||
|
34EF000
|
stack
|
page read and write
|
||
|
1058000
|
heap
|
page read and write
|
||
|
D70000
|
heap
|
page read and write
|
||
|
191F000
|
stack
|
page read and write
|
||
|
F7C000
|
stack
|
page read and write
|
||
|
1140000
|
heap
|
page read and write
|
||
|
1B3D1000
|
direct allocation
|
page execute read
|
||
|
FD1000
|
unkown
|
page execute read
|
||
|
3590000
|
heap
|
page read and write
|
||
|
15450000
|
heap
|
page read and write
|
||
|
150D000
|
stack
|
page read and write
|
There are 96 hidden memdumps, click here to show them.