Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
file.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_50842b9be826d8ed7939945d23cf3e974f7f0c4_56460358_2c7f8a6a-34e8-4b3b-a34b-55f9ed7afc39\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\GIIIECBGDHJJ\CAEHJE
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\GIIIECBGDHJJ\EBKEHJ
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4,
UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\GIIIECBGDHJJ\GHDHJE
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8,
version-valid-for 4
|
dropped
|
||
|
C:\ProgramData\GIIIECBGDHJJ\GIIIEC
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
||
|
C:\ProgramData\GIIIECBGDHJJ\IJKKEH
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8,
version-valid-for 7
|
dropped
|
||
|
C:\ProgramData\GIIIECBGDHJJ\JJJKFB
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\GIIIECBGDHJJ\KEGCBK
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie
0x36, schema 4, UTF-8, version-valid-for 8
|
modified
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF16E.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Jul 2 14:40:06 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF269.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF299.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 4 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\file.exe
|
"C:\Users\user\Desktop\file.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 264
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://t.me/
|
unknown
|
|
|
|
https://steamcommunity.com/profiles/76561199707802586
|
|
||
|
https://t.me/g067n
|
149.154.167.99
|
|
|
|
https://duckduckgo.com/chrome_newtab
|
unknown
|
||
|
https://49.13.159.121:9000a4f35rosoft
|
unknown
|
||
|
https://duckduckgo.com/ac/?q=
|
unknown
|
||
|
https://web.telegram.org
|
unknown
|
||
|
https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll
|
unknown
|
||
|
https://49.13.159.121:9000/MW
|
unknown
|
||
|
https://49.13.159.121:900024
|
unknown
|
||
|
https://49.13.159.121:9000/vcruntime140.dllh/Q
|
unknown
|
||
|
https://49.13.159.121:9000/softokn3.dllEdge
|
unknown
|
||
|
https://49.13.159.121:9000/vcruntime140.dlltQ
|
unknown
|
||
|
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
|
unknown
|
||
|
https://49.13.159.121:9000/softokn3.dll
|
unknown
|
||
|
https://t.me/g067n4G
|
unknown
|
||
|
https://49.13.159.121:9000alMicrosoft
|
unknown
|
||
|
https://49.13.159.121:9000
|
unknown
|
||
|
https://49.13.159.121:9000/(
|
unknown
|
||
|
https://49.13.159.121:9000/vcruntime140.dllrsaenh.dllE
|
unknown
|
||
|
https://49.13.159.121:9000/freebl3.dll
|
unknown
|
||
|
https://49.13.159.121:9000/freebl3.dll7
|
unknown
|
||
|
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
|
unknown
|
||
|
https://49.13.159.121:9000/0
|
unknown
|
||
|
https://49.13.159.121/
|
unknown
|
||
|
https://49.13.159.121:9000/mozglue.dll
|
unknown
|
||
|
https://t.me/g067nry1neMozilla/5.0
|
unknown
|
||
|
https://49.13.159.121:9000/KD
|
unknown
|
||
|
http://www.sqlite.org/copyright.html.
|
unknown
|
||
|
https://49.13.159.121:9000/B
|
unknown
|
||
|
https://49.13.159.121:9000/D
|
unknown
|
||
|
https://49.13.159.121:9000/msvcp140.dll0.15;
|
unknown
|
||
|
https://49.13.159.121:9000/nss3.dll
|
unknown
|
||
|
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
|
unknown
|
||
|
https://49.13.159.121:9000/sqlt.dll
|
unknown
|
||
|
https://49.13.159.121:9000/vcruntime140.dllets
|
unknown
|
||
|
https://49.13.159.121:9000/softokn3.dll2
|
unknown
|
||
|
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
https://49.13.159.121:9000/msvcp140.dll
|
unknown
|
||
|
https://49.13.159.121:9000a4f35txtft
|
unknown
|
||
|
https://www.ecosia.org/newtab/
|
unknown
|
||
|
https://49.13.159.121:9000/nss3.dlloft
|
unknown
|
||
|
https://49.13.159.121:9000/soft
|
unknown
|
||
|
https://ac.ecosia.org/autocomplete?q=
|
unknown
|
||
|
https://49.13.159.121:9000/
|
unknown
|
||
|
https://49.13.159.121:9000/softokn3.dllL
|
unknown
|
||
|
https://49.13.159.121:9000/mW
|
unknown
|
||
|
https://49.13.159.121:9000/l
|
unknown
|
||
|
https://49.13.159.121:9000/msvcp140.dll~
|
unknown
|
||
|
https://49.13.159.121:9000ming
|
unknown
|
||
|
https://49.13.159.121:9000/msvcp140.dllEdge
|
unknown
|
||
|
https://49.13.159.121:9000/vcruntime140.dll
|
unknown
|
||
|
https://49.13.159.121:9000al
|
unknown
|
||
|
https://49.13.159.121:9000/ss3.dll
|
unknown
|
||
|
https://49.13.159.121:9000/freebl3.dllAppData
|
unknown
|
||
|
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
|
unknown
|
||
|
https://t.me/g067nNG
|
unknown
|
There are 48 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
t.me
|
149.154.167.99
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
149.154.167.99
|
t.me
|
United Kingdom
|
|
|
|
49.13.159.121
|
unknown
|
Germany
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
ProgramId
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
FileId
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
LowerCaseLongPath
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
LongPathHash
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
Name
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
OriginalFileName
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
Publisher
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
Version
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
BinFileVersion
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
BinaryType
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
ProductName
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
ProductVersion
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
LinkDate
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
BinProductVersion
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
AppxPackageFullName
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
AppxPackageRelativeId
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
Size
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
Language
|
|
|
|
\REGISTRY\A\{ebeb69de-2d3e-e001-118a-d7efe2dfe5f0}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
|
Usn
|
|
|
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
|
0018400FE397F205
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
There are 13 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
400000
|
remote allocation
|
page execute and read and write
|
|
|
|
48A000
|
unkown
|
page read and write
|
|
|
|
1011000
|
heap
|
page read and write
|
|
|
|
445000
|
remote allocation
|
page execute and read and write
|
|
|
|
172FD000
|
stack
|
page read and write
|
||
|
19CF3000
|
heap
|
page read and write
|
||
|
198CF000
|
stack
|
page read and write
|
||
|
FC0000
|
heap
|
page read and write
|
||
|
4B1000
|
remote allocation
|
page execute and read and write
|
||
|
1FE68000
|
direct allocation
|
page readonly
|
||
|
1126000
|
heap
|
page read and write
|
||
|
4D1000
|
remote allocation
|
page execute and read and write
|
||
|
4E0000
|
remote allocation
|
page execute and read and write
|
||
|
10C8000
|
heap
|
page read and write
|
||
|
1FC51000
|
direct allocation
|
page execute read
|
||
|
19BAD000
|
heap
|
page read and write
|
||
|
116C000
|
heap
|
page read and write
|
||
|
1134000
|
heap
|
page read and write
|
||
|
52D000
|
remote allocation
|
page execute and read and write
|
||
|
502000
|
remote allocation
|
page execute and read and write
|
||
|
3F0000
|
unkown
|
page readonly
|
||
|
198FD000
|
heap
|
page read and write
|
||
|
126AD000
|
stack
|
page read and write
|
||
|
14BEC000
|
stack
|
page read and write
|
||
|
312E000
|
stack
|
page read and write
|
||
|
1FE5F000
|
direct allocation
|
page readonly
|
||
|
3F1000
|
unkown
|
page execute read
|
||
|
1FC58000
|
direct allocation
|
page execute read
|
||
|
5C8000
|
remote allocation
|
page execute and read and write
|
||
|
1FE5D000
|
direct allocation
|
page execute read
|
||
|
F90000
|
heap
|
page read and write
|
||
|
4A6000
|
remote allocation
|
page execute and read and write
|
||
|
19EF8000
|
heap
|
page read and write
|
||
|
14D5F000
|
stack
|
page read and write
|
||
|
E20000
|
heap
|
page read and write
|
||
|
15AD000
|
heap
|
page read and write
|
||
|
FE0000
|
heap
|
page read and write
|
||
|
3587000
|
heap
|
page read and write
|
||
|
19B3C000
|
stack
|
page read and write
|
||
|
F9A000
|
heap
|
page read and write
|
||
|
643000
|
remote allocation
|
page execute and read and write
|
||
|
13BE000
|
stack
|
page read and write
|
||
|
1FE9F000
|
direct allocation
|
page readonly
|
||
|
19EFA000
|
heap
|
page read and write
|
||
|
199E0000
|
heap
|
page read and write
|
||
|
ABC000
|
stack
|
page read and write
|
||
|
1A8F000
|
stack
|
page read and write
|
||
|
4DD000
|
remote allocation
|
page execute and read and write
|
||
|
BBC000
|
stack
|
page read and write
|
||
|
1136000
|
heap
|
page read and write
|
||
|
1994E000
|
heap
|
page read and write
|
||
|
F5C000
|
stack
|
page read and write
|
||
|
478000
|
unkown
|
page readonly
|
||
|
1FEB1000
|
heap
|
page read and write
|
||
|
1FF55000
|
heap
|
page read and write
|
||
|
14DBE000
|
stack
|
page read and write
|
||
|
641000
|
remote allocation
|
page execute and read and write
|
||
|
FFE000
|
heap
|
page read and write
|
||
|
F00000
|
heap
|
page read and write
|
||
|
3510000
|
heap
|
page read and write
|
||
|
97C0000
|
heap
|
page read and write
|
||
|
48A000
|
unkown
|
page write copy
|
||
|
198EC000
|
heap
|
page read and write
|
||
|
1FE92000
|
direct allocation
|
page read and write
|
||
|
19954000
|
heap
|
page read and write
|
||
|
3580000
|
heap
|
page read and write
|
||
|
14DD000
|
stack
|
page read and write
|
||
|
1FE9A000
|
direct allocation
|
page readonly
|
||
|
1012D000
|
stack
|
page read and write
|
||
|
1FC50000
|
direct allocation
|
page execute and read and write
|
||
|
322E000
|
stack
|
page read and write
|
||
|
4C2000
|
unkown
|
page readonly
|
||
|
4C2000
|
unkown
|
page readonly
|
||
|
100EF000
|
stack
|
page read and write
|
||
|
1738E000
|
stack
|
page read and write
|
||
|
19A3C000
|
stack
|
page read and write
|
||
|
1117000
|
heap
|
page read and write
|
||
|
19E51000
|
heap
|
page read and write
|
||
|
178F000
|
stack
|
page read and write
|
||
|
358D000
|
heap
|
page read and write
|
||
|
478000
|
unkown
|
page readonly
|
||
|
159A000
|
heap
|
page read and write
|
||
|
98B0000
|
unclassified section
|
page read and write
|
||
|
12FD000
|
stack
|
page read and write
|
||
|
97B0000
|
heap
|
page read and write
|
||
|
111C000
|
heap
|
page read and write
|
||
|
1266D000
|
stack
|
page read and write
|
||
|
3F0000
|
unkown
|
page readonly
|
||
|
1FDB6000
|
direct allocation
|
page execute read
|
||
|
439000
|
remote allocation
|
page execute and read and write
|
||
|
BB3000
|
stack
|
page read and write
|
||
|
FD0000
|
heap
|
page read and write
|
||
|
3F1000
|
unkown
|
page execute read
|
||
|
50E000
|
remote allocation
|
page execute and read and write
|
||
|
10EF000
|
heap
|
page read and write
|
||
|
1990E000
|
heap
|
page read and write
|
||
|
4BE000
|
unkown
|
page read and write
|
||
|
14F0000
|
heap
|
page read and write
|
||
|
10D2000
|
heap
|
page read and write
|
||
|
539000
|
remote allocation
|
page execute and read and write
|
||
|
F20000
|
heap
|
page read and write
|
||
|
19B90000
|
heap
|
page read and write
|
||
|
1590000
|
heap
|
page read and write
|
||
|
43F000
|
remote allocation
|
page execute and read and write
|
||
|
137E000
|
stack
|
page read and write
|
||
|
19CEC000
|
heap
|
page read and write
|
||
|
19E33000
|
heap
|
page read and write
|
||
|
14C5E000
|
stack
|
page read and write
|
||
|
10F7000
|
heap
|
page read and write
|
||
|
13C0000
|
heap
|
page read and write
|
||
|
1FE9D000
|
direct allocation
|
page readonly
|
||
|
4A9000
|
remote allocation
|
page execute and read and write
|
||
|
133E000
|
stack
|
page read and write
|
||
|
356E000
|
stack
|
page read and write
|
||
|
FF0000
|
direct allocation
|
page execute and read and write
|
||
|
198E2000
|
heap
|
page read and write
|
||
|
159E000
|
heap
|
page read and write
|
There are 107 hidden memdumps, click here to show them.