IOC Report
cHAxMzM3_crypted_LAB.exe

loading gifFilesProcessesURLsDomainsIPsRegistryMemdumps21010010Label

Files

File Path
Type
Category
Malicious
Download
cHAxMzM3_crypted_LAB.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cHAxMzM3_crypted_ccffdb6c6ef081f298b56681747aaf9b71801b5d_2fc09c21_1853f9ce-a91c-4f93-b530-f99aa0c11745\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7703.tmp.dmp
Mini DuMP crash report, 15 streams, Tue Jan 28 12:59:48 2025, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER78B9.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7985.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe
"C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe"
malicious
C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe
"C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 916

URLs

Name
IP
Malicious
stingyerasjhru.click
malicious
https://smiteattacekr.org/api
188.114.96.3
malicious
https://steamcommunity.com/profiles/76561199724331900
104.102.49.254
https://smiteattacekr.org/apih
unknown
rabidcowse.shop
https://community.fastly.steamstatic.com/public/images/skin_
unknown
wholersorie.shop
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=eVGzFA1_2smb&a
unknown
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=F357
unknown
http://upx.sf.net
unknown
http://store.steampowered.com/subscriber_agreement/
unknown
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=gi31XL_w
unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/
unknown
http://store.steampowered.com/Ua
unknown
cloudewahsj.shop
noisycuttej.shop
https://smiteattacekr.org/dS
unknown
nearycrepso.shop
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
unknown
https://smiteattacekr.org/
unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geoname
unknown
framekgirus.shop
https://store.steamp
unknown
tirepublicerj.shop
abruptyopsn.shop
There are 15 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
smiteattacekr.org
188.114.96.3
malicious
stingyerasjhru.click
unknown
malicious
steamcommunity.com
104.102.49.254
53.210.109.20.in-addr.arpa
unknown
cloudewahsj.shop
unknown
noisycuttej.shop
unknown
nearycrepso.shop
unknown
rabidcowse.shop
unknown
wholersorie.shop
unknown
framekgirus.shop
unknown
tirepublicerj.shop
unknown
171.39.242.20.in-addr.arpa
unknown
abruptyopsn.shop
unknown
There are 3 hidden domains, click here to show them.

IPs

IP
Domain
Country
Malicious
188.114.96.3
smiteattacekr.org
European Union
malicious
104.102.49.254
steamcommunity.com
United States

Registry

Path
Value
Malicious
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
ProgramId
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
FileId
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
LowerCaseLongPath
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
LongPathHash
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
Name
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
OriginalFileName
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
Publisher
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
Version
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
BinFileVersion
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
BinaryType
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
ProductName
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
ProductVersion
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
LinkDate
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
BinProductVersion
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
AppxPackageFullName
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
AppxPackageRelativeId
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
Size
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
Language
\REGISTRY\A\{be31cd80-03ab-6821-9ddf-ca1c84af3a85}\Root\InventoryApplicationFile\chaxmzm3_crypted|b87ab0fcde3fabda
Usn
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018000DDABBE6B3
There are 13 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
3D19000
trusted library allocation
page read and write
malicious
F50000
heap
page read and write
1340000
trusted library allocation
page read and write
4EAE000
stack
page read and write
398B000
trusted library allocation
page read and write
2D00000
heap
page execute and read and write
1310000
trusted library allocation
page read and write
10DD000
stack
page read and write
3977000
trusted library allocation
page read and write
51F4000
trusted library allocation
page read and write
1323000
trusted library allocation
page execute and read and write
EFB000
stack
page read and write
E90000
heap
page read and write
2FED000
stack
page read and write
358E000
stack
page read and write
112C000
heap
page read and write
2BAF000
stack
page read and write
1142000
heap
page read and write
1324000
trusted library allocation
page read and write
115E000
heap
page read and write
397B000
trusted library allocation
page read and write
E70000
heap
page read and write
E60000
heap
page read and write
5216000
trusted library allocation
page read and write
39E0000
trusted library allocation
page read and write
341D000
stack
page read and write
E98000
heap
page read and write
118D000
heap
page read and write
3D11000
trusted library allocation
page read and write
400000
remote allocation
page execute and read and write
F00000
heap
page read and write
1200000
heap
page read and write
BE9000
stack
page read and write
1118000
heap
page read and write
399F000
trusted library allocation
page read and write
1370000
trusted library allocation
page read and write
33AF000
stack
page read and write
1183000
heap
page read and write
32AE000
stack
page read and write
3996000
trusted library allocation
page read and write
11CC000
heap
page read and write
5230000
trusted library allocation
page read and write
33C0000
heap
page read and write
351D000
stack
page read and write
11DE000
stack
page read and write
115B000
heap
page read and write
2BC0000
trusted library allocation
page read and write
A08000
unkown
page readonly
EC6000
heap
page read and write
1130000
heap
page read and write
2D11000
trusted library allocation
page read and write
11DB000
heap
page read and write
312D000
stack
page read and write
1334000
trusted library allocation
page read and write
2BE0000
heap
page read and write
5219000
trusted library allocation
page read and write
3980000
trusted library allocation
page read and write
A02000
unkown
page readonly
AEC000
stack
page read and write
F67000
heap
page read and write
A00000
unkown
page readonly
ED3000
heap
page read and write
11CF000
heap
page read and write
38FD000
trusted library allocation
page read and write
13BE000
stack
page read and write
134A000
trusted library allocation
page execute and read and write
E9E000
heap
page read and write
B9B000
stack
page read and write
2D17000
trusted library allocation
page execute and read and write
2CF0000
trusted library allocation
page read and write
130F000
stack
page read and write
36EE000
stack
page read and write
1350000
trusted library allocation
page read and write
1357000
trusted library allocation
page execute and read and write
368F000
stack
page read and write
3993000
trusted library allocation
page read and write
1110000
heap
page read and write
2CF6000
trusted library allocation
page read and write
13C0000
heap
page read and write
3A14000
trusted library allocation
page read and write
1100000
heap
page read and write
302D000
stack
page read and write
326E000
stack
page read and write
3A05000
trusted library allocation
page read and write
109E000
stack
page read and write
11C3000
heap
page read and write
3BE0000
heap
page read and write
38EA000
trusted library allocation
page read and write
109E000
stack
page read and write
1330000
trusted library allocation
page read and write
11C6000
heap
page read and write
2BB0000
trusted library allocation
page execute and read and write
11DE000
heap
page read and write
316E000
stack
page read and write
EBC000
heap
page read and write
2D19000
trusted library allocation
page read and write
F4E000
stack
page read and write
119F000
stack
page read and write
38DF000
stack
page read and write
5225000
trusted library allocation
page read and write
37D0000
heap
page read and write
130E000
stack
page read and write
E50000
heap
page read and write
135B000
trusted library allocation
page execute and read and write
2BAE000
stack
page read and write
5204000
trusted library allocation
page read and write
A0C000
unkown
page readonly
2CEE000
stack
page read and write
3D15000
trusted library allocation
page read and write
457000
remote allocation
page execute and read and write
F60000
heap
page read and write
There are 101 hidden memdumps, click here to show them.