Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
FoS5cjKhd3.exe
|
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
||
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FoS5cjKhd3.exe.log
|
CSV text
|
modified
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_7e74a33335a2f965bc130b952e35e6871e573e3_5be246a5_ef375b0f-a442-4bce-a5f6-0408d35425df\Report.wer
|
data
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDA4.tmp.dmp
|
Mini DuMP crash report, 15 streams, Fri Sep 27 14:47:13 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEED.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF3C.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
||
\Device\ConDrv
|
ASCII text, with CRLF, LF line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\FoS5cjKhd3.exe
|
"C:\Users\user\Desktop\FoS5cjKhd3.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1768
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1772
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
fragnantbui.shop
|
|||
lootebarrkeyn.shop
|
|||
gutterydhowi.shop
|
|||
offensivedzvju.shop
|
|||
https://gutterydhowi.shop/api
|
104.21.4.136
|
||
drawzhotdog.shop
|
|||
ghostreedmnu.shop
|
|||
reinforcenh.shop
|
|||
stogeneratmns.shop
|
|||
vozmeatillu.shop
|
|||
https://gutterydhowi.shop/apiC
|
unknown
|
||
https://gutterydhowi.shop/apiM
|
unknown
|
||
http://upx.sf.net
|
unknown
|
||
https://gutterydhowi.shop/
|
unknown
|
||
https://www.cloudflare.com/learning/acce
|
unknown
|
There are 5 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
gutterydhowi.shop
|
104.21.4.136
|
||
lootebarrkeyn.shop
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
104.21.4.136
|
gutterydhowi.shop
|
United States
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
ProgramId
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
FileId
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
LowerCaseLongPath
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
LongPathHash
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
Name
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
OriginalFileName
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
Publisher
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
Version
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
BinFileVersion
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
BinaryType
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
ProductName
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
ProductVersion
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
LinkDate
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
BinProductVersion
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
AppxPackageFullName
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
Size
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
Language
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
IsOsComponent
|
||
\REGISTRY\A\{abd5af96-9325-5ded-281f-3db6c19d32e1}\Root\InventoryApplicationFile\regasm.exe|930881d2b722b2fe
|
Usn
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
|
0018000DDABBE6B3
|
There are 14 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
3CD5000
|
trusted library allocation
|
page read and write
|
||
400000
|
remote allocation
|
page execute and read and write
|
||
30AE000
|
stack
|
page read and write
|
||
12AE000
|
stack
|
page read and write
|
||
DE7000
|
heap
|
page read and write
|
||
2E0E000
|
stack
|
page read and write
|
||
1497000
|
trusted library allocation
|
page execute and read and write
|
||
1476000
|
trusted library allocation
|
page read and write
|
||
F6E000
|
stack
|
page read and write
|
||
7FB000
|
stack
|
page read and write
|
||
2B70000
|
trusted library allocation
|
page read and write
|
||
320E000
|
stack
|
page read and write
|
||
298E000
|
stack
|
page read and write
|
||
9DE000
|
unkown
|
page readonly
|
||
F20000
|
heap
|
page read and write
|
||
2A8F000
|
stack
|
page read and write
|
||
F70000
|
heap
|
page read and write
|
||
980000
|
unkown
|
page readonly
|
||
4E6E000
|
stack
|
page read and write
|
||
E0A000
|
heap
|
page read and write
|
||
3270000
|
heap
|
page read and write
|
||
1463000
|
trusted library allocation
|
page execute and read and write
|
||
982000
|
unkown
|
page readonly
|
||
1480000
|
trusted library allocation
|
page read and write
|
||
2CD1000
|
trusted library allocation
|
page execute and read and write
|
||
460000
|
remote allocation
|
page execute and read and write
|
||
CD0000
|
heap
|
page read and write
|
||
1450000
|
trusted library allocation
|
page read and write
|
||
DE0000
|
heap
|
page read and write
|
||
2B1E000
|
stack
|
page read and write
|
||
E2C000
|
heap
|
page read and write
|
||
2BC0000
|
heap
|
page read and write
|
||
DF0000
|
heap
|
page read and write
|
||
D78000
|
stack
|
page read and write
|
||
E0F000
|
heap
|
page read and write
|
||
1070000
|
heap
|
page read and write
|
||
278F000
|
stack
|
page read and write
|
||
F90000
|
heap
|
page read and write
|
||
11AE000
|
stack
|
page read and write
|
||
1490000
|
trusted library allocation
|
page read and write
|
||
E34000
|
heap
|
page read and write
|
||
2BA0000
|
heap
|
page execute and read and write
|
||
E42000
|
heap
|
page read and write
|
||
BF5000
|
heap
|
page read and write
|
||
288D000
|
stack
|
page read and write
|
||
B70000
|
heap
|
page read and write
|
||
BDE000
|
stack
|
page read and write
|
||
AFB000
|
stack
|
page read and write
|
||
2F4E000
|
stack
|
page read and write
|
||
DAE000
|
stack
|
page read and write
|
||
C7C000
|
stack
|
page read and write
|
||
337F000
|
stack
|
page read and write
|
||
E00000
|
heap
|
page read and write
|
||
BF0000
|
heap
|
page read and write
|
||
DCA000
|
heap
|
page read and write
|
||
31AF000
|
stack
|
page read and write
|
||
D6D000
|
stack
|
page read and write
|
||
B60000
|
heap
|
page read and write
|
||
1470000
|
trusted library allocation
|
page read and write
|
||
1464000
|
trusted library allocation
|
page read and write
|
||
2CD3000
|
trusted library allocation
|
page read and write
|
||
149B000
|
trusted library allocation
|
page execute and read and write
|
||
E0E000
|
heap
|
page read and write
|
||
2AD0000
|
trusted library allocation
|
page read and write
|
||
2B60000
|
trusted library allocation
|
page execute and read and write
|
||
3CD1000
|
trusted library allocation
|
page read and write
|
||
304F000
|
stack
|
page read and write
|
||
D2D000
|
stack
|
page read and write
|
||
DFA000
|
heap
|
page read and write
|
||
2CCF000
|
stack
|
page read and write
|
||
F95000
|
heap
|
page read and write
|
||
14A0000
|
heap
|
page read and write
|
||
2B5D000
|
stack
|
page read and write
|
||
2F0D000
|
stack
|
page read and write
|
||
148A000
|
trusted library allocation
|
page execute and read and write
|
||
116F000
|
stack
|
page read and write
|
||
1474000
|
trusted library allocation
|
page read and write
|
||
DC0000
|
heap
|
page read and write
|
There are 68 hidden memdumps, click here to show them.