Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
injcheat.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_injcheat.exe_bfdbaff99cfc5fd6ea5e84811572a32612ee71_c64bc4dd_96141fc8-3caa-417b-b7e8-b1b992ca8023\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
modified
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_43832d93ddcf66f1edc5babbb1e353ebb92236_05bdfb8c_baa4bba1-0414-46fd-b4ad-a139b8562bf3\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
modified
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER736.tmp.dmp
|
Mini DuMP crash report, 15 streams, Mon Oct 7 04:44:13 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER860.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER881.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB5F.tmp.dmp
|
Mini DuMP crash report, 14 streams, Mon Oct 7 04:44:10 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBBE.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC2C.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\injcheat.exe
|
"C:\Users\user\Desktop\injcheat.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7516 -s 304
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 1620
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
frizzettei.sbs
|
|
||
|
laddyirekyi.sbs
|
|
||
|
https://frizzettei.sbs/api
|
188.114.96.3
|
|
|
|
https://epiloggati.sbs/api
|
188.114.96.3
|
|
|
|
wickedneatr.sbs
|
|
||
|
bemuzzeki.sbs
|
|
||
|
invinjurhey.sbs
|
|
||
|
epiloggati.sbs
|
|
||
|
isoplethui.sbs
|
|
||
|
exilepolsiy.sbs
|
|
||
|
exemplarou.sbs
|
|
||
|
http://upx.sf.net
|
unknown
|
There are 2 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
frizzettei.sbs
|
188.114.96.3
|
|
|
|
epiloggati.sbs
|
188.114.96.3
|
|
|
|
s-part-0032.t-0009.t-msedge.net
|
13.107.246.60
|
||
|
time.windows.com
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
188.114.96.3
|
frizzettei.sbs
|
European Union
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
ProgramId
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
FileId
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
LowerCaseLongPath
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
LongPathHash
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Name
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
OriginalFileName
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Publisher
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Version
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
BinFileVersion
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
BinaryType
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
ProductName
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
ProductVersion
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
LinkDate
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
BinProductVersion
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
AppxPackageFullName
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
AppxPackageRelativeId
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Size
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Language
|
|
|
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Usn
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
ClockTimeSeconds
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
TickCount
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProgramId
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
FileId
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LongPathHash
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Name
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
OriginalFileName
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Publisher
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Version
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinFileVersion
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinaryType
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProductName
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProductVersion
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LinkDate
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinProductVersion
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Size
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Language
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
IsOsComponent
|
||
|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Usn
|
There are 31 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
400000
|
remote allocation
|
page execute and read and write
|
|
|
|
83C000
|
unkown
|
page read and write
|
|
|
|
70490000
|
unkown
|
page readonly
|
||
|
2FDE000
|
stack
|
page read and write
|
||
|
BC0000
|
heap
|
page read and write
|
||
|
C1A000
|
heap
|
page read and write
|
||
|
704AD000
|
unkown
|
page read and write
|
||
|
810000
|
unkown
|
page readonly
|
||
|
27AD000
|
stack
|
page read and write
|
||
|
DF0000
|
heap
|
page read and write
|
||
|
B70000
|
heap
|
page read and write
|
||
|
BDC000
|
heap
|
page read and write
|
||
|
B40000
|
heap
|
page read and write
|
||
|
897000
|
unkown
|
page readonly
|
||
|
B3E000
|
stack
|
page read and write
|
||
|
C01000
|
heap
|
page read and write
|
||
|
E7A000
|
heap
|
page read and write
|
||
|
7D0000
|
heap
|
page read and write
|
||
|
76B000
|
stack
|
page read and write
|
||
|
D10000
|
heap
|
page read and write
|
||
|
811000
|
unkown
|
page execute read
|
||
|
704A6000
|
unkown
|
page readonly
|
||
|
832000
|
unkown
|
page readonly
|
||
|
C69000
|
heap
|
page read and write
|
||
|
45E000
|
remote allocation
|
page execute and read and write
|
||
|
2850000
|
heap
|
page read and write
|
||
|
2A5D000
|
stack
|
page read and write
|
||
|
276D000
|
stack
|
page read and write
|
||
|
11AF000
|
stack
|
page read and write
|
||
|
F8E000
|
stack
|
page read and write
|
||
|
2EDE000
|
stack
|
page read and write
|
||
|
9AC000
|
stack
|
page read and write
|
||
|
83C000
|
unkown
|
page write copy
|
||
|
10AE000
|
stack
|
page read and write
|
||
|
106F000
|
stack
|
page read and write
|
||
|
3180000
|
heap
|
page read and write
|
||
|
2E9E000
|
stack
|
page read and write
|
||
|
C8B000
|
heap
|
page read and write
|
||
|
BBE000
|
stack
|
page read and write
|
||
|
894000
|
unkown
|
page execute and read and write
|
||
|
704AF000
|
unkown
|
page readonly
|
||
|
B75000
|
heap
|
page read and write
|
||
|
E00000
|
heap
|
page read and write
|
||
|
CFD000
|
stack
|
page read and write
|
||
|
BED000
|
heap
|
page read and write
|
||
|
302E000
|
stack
|
page read and write
|
||
|
E7E000
|
heap
|
page read and write
|
||
|
E4E000
|
stack
|
page read and write
|
||
|
C8D000
|
heap
|
page read and write
|
||
|
70491000
|
unkown
|
page execute read
|
||
|
895000
|
unkown
|
page read and write
|
||
|
AFB000
|
stack
|
page read and write
|
||
|
BC8000
|
heap
|
page read and write
|
||
|
811000
|
unkown
|
page execute read
|
||
|
E70000
|
heap
|
page read and write
|
||
|
832000
|
unkown
|
page readonly
|
||
|
312F000
|
stack
|
page read and write
|
||
|
E8E000
|
stack
|
page read and write
|
||
|
C85000
|
heap
|
page read and write
|
||
|
295D000
|
stack
|
page read and write
|
||
|
7E0000
|
heap
|
page read and write
|
||
|
810000
|
unkown
|
page readonly
|
||
|
282D000
|
stack
|
page read and write
|
||
|
897000
|
unkown
|
page readonly
|
There are 54 hidden memdumps, click here to show them.