Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
56bDgH9sMQ.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_56bDgH9sMQ.exe_6753fc4336f189f5fb3908672f6549aff5ec85_db4f562b_8bf834f7-d476-4e10-bc4d-96a40156ebb2\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\CFIEBKEHCAKF\BAKFCB
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
dropped
|
||
C:\ProgramData\CFIEBKEHCAKF\BGDAAK
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
||
C:\ProgramData\CFIEBKEHCAKF\HDGDHC
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
||
C:\ProgramData\CFIEBKEHCAKF\HJDBKJ
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
dropped
|
||
C:\ProgramData\CFIEBKEHCAKF\IECGHJ
|
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
dropped
|
||
C:\ProgramData\CFIEBKEHCAKF\JECAEH
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
modified
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC95.tmp.dmp
|
Mini DuMP crash report, 14 streams, Mon Jul 1 07:12:17 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD03.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD43.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
|
Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks,
0x1 compression
|
dropped
|
||
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 5 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\56bDgH9sMQ.exe
|
"C:\Users\user\Desktop\56bDgH9sMQ.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 324
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
https://t.me/
|
unknown
|
||
https://steamcommunity.com/profiles/76561199707802586
|
|||
https://t.me/g067n
|
149.154.167.99
|
||
https://duckduckgo.com/chrome_newtab
|
unknown
|
||
https://duckduckgo.com/ac/?q=
|
unknown
|
||
https://195.201.251.214:9000/mozglue.dll
|
unknown
|
||
https://195.201.251.214:9000/nss3.dll
|
unknown
|
||
https://195.201.251.214:9000/y
|
unknown
|
||
https://web.telegram.org
|
unknown
|
||
https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll
|
unknown
|
||
https://195.201.251.214:9000/
|
unknown
|
||
https://195.201.251.214:9000/l
|
unknown
|
||
https://195.201.251.214:9000/vcruntime140.dllt
|
unknown
|
||
https://195.201.251.214:9000/mozglue.dllge
|
unknown
|
||
https://195.201.251.214:9000/9zn
|
unknown
|
||
https://195.201.251.214:9000/nss3.dllA
|
unknown
|
||
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
|
unknown
|
||
https://195.201.251.214:9000/vcruntime140.dlls
|
unknown
|
||
https://195.201.251.214:9000/Mac
|
unknown
|
||
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
|
unknown
|
||
https://195.201.251.214:9000/icrosoft
|
unknown
|
||
https://195.201.251.214:9000Google
|
unknown
|
||
https://195.201.251.214:9000/0cosoft
|
unknown
|
||
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
|
unknown
|
||
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
|
unknown
|
||
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
|
unknown
|
||
https://195.201.251.214:9000/freebl3.dllffsets
|
unknown
|
||
https://195.201.251.214:9000/mozglue.dlla
|
unknown
|
||
https://t.me/g067nJt
|
unknown
|
||
https://195.201.251.214:9000/freebl3.dll
|
unknown
|
||
https://195.201.251.214:9000/softokn3.dll
|
unknown
|
||
https://195.201.251.214:9000/nss3.dllU
|
unknown
|
||
https://t.me/g067nry1neMozilla/5.0
|
unknown
|
||
http://www.sqlite.org/copyright.html.
|
unknown
|
||
https://195.201.251.214:9000/mozglue.dllo
|
unknown
|
||
https://195.201.251.214:9000/freebl3.dllatch
|
unknown
|
||
https://195.201.251.214:9000/msvcp140.dllet
|
unknown
|
||
https://195.201.251.214:9000g
|
unknown
|
||
https://195.201.251.214:9000/nss3.dllo
|
unknown
|
||
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
|
unknown
|
||
https://195.201.251.214:9000/msvcp140.dll
|
unknown
|
||
https://195.201.251.214:9000/:9000
|
unknown
|
||
https://195.201.251.214:900030cle
|
unknown
|
||
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
|
unknown
|
||
http://upx.sf.net
|
unknown
|
||
https://195.201.251.214:9000/freebl3.dllm
|
unknown
|
||
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
|
unknown
|
||
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
|
unknown
|
||
https://www.ecosia.org/newtab/
|
unknown
|
||
https://195.201.251.214:9000/freebl3.dllu
|
unknown
|
||
https://195.201.251.214:9000/nzC
|
unknown
|
||
https://195.201.251.214:9000/vcruntime140.dller
|
unknown
|
||
https://195.201.251.214:9000/softokn3.dllll
|
unknown
|
||
https://195.201.251.214:9000/vcruntime140.dll
|
unknown
|
||
https://ac.ecosia.org/autocomplete?q=
|
unknown
|
||
https://195.201.251.214:9000/msvcp140.dlle
|
unknown
|
||
https://195.201.251.214:9000/softokn3.dlle
|
unknown
|
||
https://195.201.251.214:9000/vcruntime140.dllD
|
unknown
|
||
https://195.201.251.214:9000/nes
|
unknown
|
||
https://195.201.251.214:9000/freebl3.dllge
|
unknown
|
||
https://195.201.251.214:9000/O
|
unknown
|
||
https://t.me/pjm
|
unknown
|
||
https://195.201.251.214:9000/softokn3.dllV
|
unknown
|
||
https://195.201.251.214/
|
unknown
|
||
https://195.201.251.214:9000
|
unknown
|
||
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
|
unknown
|
||
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
|
unknown
|
||
https://195.201.251.214:9000/sqlt.dll
|
unknown
|
||
https://195.201.251.214:9000Microsoft
|
unknown
|
There are 59 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
t.me
|
149.154.167.99
|
||
windowsupdatebg.s.llnwi.net
|
87.248.205.0
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
149.154.167.99
|
t.me
|
United Kingdom
|
||
195.201.251.214
|
unknown
|
Germany
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
ProgramId
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
FileId
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
LowerCaseLongPath
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
LongPathHash
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
Name
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
OriginalFileName
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
Publisher
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
Version
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
BinFileVersion
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
BinaryType
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
ProductName
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
ProductVersion
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
LinkDate
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
BinProductVersion
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
AppxPackageFullName
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
Size
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
Language
|
||
\REGISTRY\A\{e8bd9ed6-d640-2622-5323-12d307ab7bec}\Root\InventoryApplicationFile\56bdgh9smq.exe|c537a3c4a19e7b
|
Usn
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
ClockTimeSeconds
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
TickCount
|
There are 11 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
400000
|
remote allocation
|
page execute and read and write
|
||
C94000
|
unkown
|
page read and write
|
||
445000
|
remote allocation
|
page execute and read and write
|
||
1991C000
|
stack
|
page read and write
|
||
DCF000
|
stack
|
page read and write
|
||
8A0000
|
heap
|
page read and write
|
||
3FE000
|
stack
|
page read and write
|
||
4A6000
|
remote allocation
|
page execute and read and write
|
||
1069000
|
heap
|
page read and write
|
||
1FA28000
|
direct allocation
|
page execute read
|
||
1FC6D000
|
direct allocation
|
page readonly
|
||
1FC6A000
|
direct allocation
|
page readonly
|
||
360000
|
heap
|
page read and write
|
||
643000
|
remote allocation
|
page execute and read and write
|
||
1FB86000
|
direct allocation
|
page execute read
|
||
114E000
|
heap
|
page read and write
|
||
1709D000
|
stack
|
page read and write
|
||
116D000
|
heap
|
page read and write
|
||
1FC6F000
|
direct allocation
|
page readonly
|
||
C61000
|
unkown
|
page execute read
|
||
10F1000
|
heap
|
page read and write
|
||
DCE000
|
stack
|
page read and write
|
||
5C8000
|
remote allocation
|
page execute and read and write
|
||
1981C000
|
stack
|
page read and write
|
||
BC0000
|
heap
|
page read and write
|
||
14A1C000
|
stack
|
page read and write
|
||
1966F000
|
stack
|
page read and write
|
||
860000
|
direct allocation
|
page execute and read and write
|
||
C61000
|
unkown
|
page execute read
|
||
196FD000
|
heap
|
page read and write
|
||
1712E000
|
stack
|
page read and write
|
||
FF9F000
|
stack
|
page read and write
|
||
370000
|
heap
|
page read and write
|
||
1FC2D000
|
direct allocation
|
page execute read
|
||
B5C000
|
stack
|
page read and write
|
||
9A0000
|
heap
|
page read and write
|
||
C88000
|
unkown
|
page readonly
|
||
439000
|
remote allocation
|
page execute and read and write
|
||
1036000
|
heap
|
page read and write
|
||
1FC2F000
|
direct allocation
|
page readonly
|
||
3BE000
|
stack
|
page read and write
|
||
1FC62000
|
direct allocation
|
page read and write
|
||
276D000
|
stack
|
page read and write
|
||
266E000
|
stack
|
page read and write
|
||
19947000
|
heap
|
page read and write
|
||
9680000
|
heap
|
page read and write
|
||
103C000
|
heap
|
page read and write
|
||
C94000
|
unkown
|
page write copy
|
||
9670000
|
heap
|
page read and write
|
||
124DD000
|
stack
|
page read and write
|
||
F0A000
|
heap
|
page read and write
|
||
F4F000
|
heap
|
page read and write
|
||
19690000
|
heap
|
page read and write
|
||
F81000
|
heap
|
page read and write
|
||
C60000
|
unkown
|
page readonly
|
||
19AA0000
|
heap
|
page read and write
|
||
50E000
|
remote allocation
|
page execute and read and write
|
||
CA0000
|
heap
|
page read and write
|
||
9664000
|
heap
|
page read and write
|
||
1021000
|
heap
|
page read and write
|
||
19ABB000
|
heap
|
page read and write
|
||
C88000
|
unkown
|
page readonly
|
||
1FA21000
|
direct allocation
|
page execute read
|
||
9760000
|
unclassified section
|
page read and write
|
||
E80000
|
heap
|
page read and write
|
||
196BD000
|
heap
|
page read and write
|
||
30C000
|
stack
|
page read and write
|
||
1140000
|
heap
|
page read and write
|
||
F00000
|
heap
|
page read and write
|
||
19C02000
|
heap
|
page read and write
|
||
19C20000
|
heap
|
page read and write
|
||
14B1F000
|
stack
|
page read and write
|
||
B52000
|
stack
|
page read and write
|
||
85D000
|
stack
|
page read and write
|
||
6FD000
|
stack
|
page read and write
|
||
1056000
|
heap
|
page read and write
|
||
9BD000
|
heap
|
page read and write
|
||
19AC2000
|
heap
|
page read and write
|
||
43F000
|
remote allocation
|
page execute and read and write
|
||
9AA000
|
heap
|
page read and write
|
||
10E6000
|
heap
|
page read and write
|
||
502000
|
remote allocation
|
page execute and read and write
|
||
1078000
|
heap
|
page read and write
|
||
14B5D000
|
stack
|
page read and write
|
||
1052000
|
heap
|
page read and write
|
||
C60000
|
unkown
|
page readonly
|
||
1135000
|
heap
|
page read and write
|
||
E87000
|
heap
|
page read and write
|
||
EDE000
|
stack
|
page read and write
|
||
4D1000
|
remote allocation
|
page execute and read and write
|
||
52D000
|
remote allocation
|
page execute and read and write
|
||
4A9000
|
remote allocation
|
page execute and read and write
|
||
CE0000
|
heap
|
page read and write
|
||
641000
|
remote allocation
|
page execute and read and write
|
||
19CC9000
|
heap
|
page read and write
|
||
19CC7000
|
heap
|
page read and write
|
||
CCB000
|
unkown
|
page readonly
|
||
E4D000
|
stack
|
page read and write
|
||
E8E000
|
heap
|
page read and write
|
||
19680000
|
heap
|
page read and write
|
||
9AE000
|
heap
|
page read and write
|
||
1FC38000
|
direct allocation
|
page readonly
|
||
1FA20000
|
direct allocation
|
page execute and read and write
|
||
A5C000
|
stack
|
page read and write
|
||
CCB000
|
unkown
|
page readonly
|
||
E0D000
|
stack
|
page read and write
|
||
1970D000
|
heap
|
page read and write
|
||
196AC000
|
heap
|
page read and write
|
||
F6E000
|
heap
|
page read and write
|
||
4DD000
|
remote allocation
|
page execute and read and write
|
||
539000
|
remote allocation
|
page execute and read and write
|
||
B9F000
|
stack
|
page read and write
|
||
1969B000
|
heap
|
page read and write
|
||
81E000
|
stack
|
page read and write
|
||
CC7000
|
unkown
|
page read and write
|
||
4B1000
|
remote allocation
|
page execute and read and write
|
||
D00000
|
heap
|
page read and write
|
||
27A0000
|
heap
|
page read and write
|
||
9660000
|
heap
|
page read and write
|
There are 109 hidden memdumps, click here to show them.