Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
injcheat.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_injcheat.exe_bfdbaff99cfc5fd6ea5e84811572a32612ee71_c64bc4dd_96141fc8-3caa-417b-b7e8-b1b992ca8023\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
modified
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_43832d93ddcf66f1edc5babbb1e353ebb92236_05bdfb8c_baa4bba1-0414-46fd-b4ad-a139b8562bf3\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
modified
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER736.tmp.dmp
|
Mini DuMP crash report, 15 streams, Mon Oct 7 04:44:13 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER860.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER881.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB5F.tmp.dmp
|
Mini DuMP crash report, 14 streams, Mon Oct 7 04:44:10 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBBE.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC2C.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\injcheat.exe
|
"C:\Users\user\Desktop\injcheat.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7516 -s 304
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 1620
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
frizzettei.sbs
|
|||
laddyirekyi.sbs
|
|||
https://frizzettei.sbs/api
|
188.114.96.3
|
||
https://epiloggati.sbs/api
|
188.114.96.3
|
||
wickedneatr.sbs
|
|||
bemuzzeki.sbs
|
|||
invinjurhey.sbs
|
|||
epiloggati.sbs
|
|||
isoplethui.sbs
|
|||
exilepolsiy.sbs
|
|||
exemplarou.sbs
|
|||
http://upx.sf.net
|
unknown
|
There are 2 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
frizzettei.sbs
|
188.114.96.3
|
||
epiloggati.sbs
|
188.114.96.3
|
||
s-part-0032.t-0009.t-msedge.net
|
13.107.246.60
|
||
time.windows.com
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
188.114.96.3
|
frizzettei.sbs
|
European Union
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
ProgramId
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
FileId
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
LowerCaseLongPath
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
LongPathHash
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Name
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
OriginalFileName
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Publisher
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Version
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
BinFileVersion
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
BinaryType
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
ProductName
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
ProductVersion
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
LinkDate
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
BinProductVersion
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
AppxPackageFullName
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Size
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Language
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\injcheat.exe|5efd08f0c441310b
|
Usn
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
ClockTimeSeconds
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
TickCount
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProgramId
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
FileId
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LowerCaseLongPath
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LongPathHash
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Name
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
OriginalFileName
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Publisher
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Version
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinFileVersion
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinaryType
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProductName
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProductVersion
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LinkDate
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinProductVersion
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
AppxPackageFullName
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Size
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Language
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
IsOsComponent
|
||
\REGISTRY\A\{03e07d0f-5d75-0d80-c17d-c49ec5ccedd5}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Usn
|
There are 31 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
400000
|
remote allocation
|
page execute and read and write
|
||
83C000
|
unkown
|
page read and write
|
||
70490000
|
unkown
|
page readonly
|
||
2FDE000
|
stack
|
page read and write
|
||
BC0000
|
heap
|
page read and write
|
||
C1A000
|
heap
|
page read and write
|
||
704AD000
|
unkown
|
page read and write
|
||
810000
|
unkown
|
page readonly
|
||
27AD000
|
stack
|
page read and write
|
||
DF0000
|
heap
|
page read and write
|
||
B70000
|
heap
|
page read and write
|
||
BDC000
|
heap
|
page read and write
|
||
B40000
|
heap
|
page read and write
|
||
897000
|
unkown
|
page readonly
|
||
B3E000
|
stack
|
page read and write
|
||
C01000
|
heap
|
page read and write
|
||
E7A000
|
heap
|
page read and write
|
||
7D0000
|
heap
|
page read and write
|
||
76B000
|
stack
|
page read and write
|
||
D10000
|
heap
|
page read and write
|
||
811000
|
unkown
|
page execute read
|
||
704A6000
|
unkown
|
page readonly
|
||
832000
|
unkown
|
page readonly
|
||
C69000
|
heap
|
page read and write
|
||
45E000
|
remote allocation
|
page execute and read and write
|
||
2850000
|
heap
|
page read and write
|
||
2A5D000
|
stack
|
page read and write
|
||
276D000
|
stack
|
page read and write
|
||
11AF000
|
stack
|
page read and write
|
||
F8E000
|
stack
|
page read and write
|
||
2EDE000
|
stack
|
page read and write
|
||
9AC000
|
stack
|
page read and write
|
||
83C000
|
unkown
|
page write copy
|
||
10AE000
|
stack
|
page read and write
|
||
106F000
|
stack
|
page read and write
|
||
3180000
|
heap
|
page read and write
|
||
2E9E000
|
stack
|
page read and write
|
||
C8B000
|
heap
|
page read and write
|
||
BBE000
|
stack
|
page read and write
|
||
894000
|
unkown
|
page execute and read and write
|
||
704AF000
|
unkown
|
page readonly
|
||
B75000
|
heap
|
page read and write
|
||
E00000
|
heap
|
page read and write
|
||
CFD000
|
stack
|
page read and write
|
||
BED000
|
heap
|
page read and write
|
||
302E000
|
stack
|
page read and write
|
||
E7E000
|
heap
|
page read and write
|
||
E4E000
|
stack
|
page read and write
|
||
C8D000
|
heap
|
page read and write
|
||
70491000
|
unkown
|
page execute read
|
||
895000
|
unkown
|
page read and write
|
||
AFB000
|
stack
|
page read and write
|
||
BC8000
|
heap
|
page read and write
|
||
811000
|
unkown
|
page execute read
|
||
E70000
|
heap
|
page read and write
|
||
832000
|
unkown
|
page readonly
|
||
312F000
|
stack
|
page read and write
|
||
E8E000
|
stack
|
page read and write
|
||
C85000
|
heap
|
page read and write
|
||
295D000
|
stack
|
page read and write
|
||
7E0000
|
heap
|
page read and write
|
||
810000
|
unkown
|
page readonly
|
||
282D000
|
stack
|
page read and write
|
||
897000
|
unkown
|
page readonly
|
There are 54 hidden memdumps, click here to show them.