Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
5rVhexjLCx.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5rVhexjLCx.exe_4f563470d5c1e523cae46f4ce3215b123fa5833_07f53762_c9c77ddf-0ca1-47fc-8dbf-f5e4899913d0\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CD9.tmp.dmp
|
Mini DuMP crash report, 14 streams, Mon Oct 7 16:00:19 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D28.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D68.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\5rVhexjLCx.exe
|
"C:\Users\user\Desktop\5rVhexjLCx.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 272
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://62.204.41.150
|
unknown
|
||
http://62.204.41.150/
|
62.204.41.150
|
||
http://62.204.41.150/edd20096ecef326d.php
|
62.204.41.150
|
||
http://62.204.41.150/n
|
unknown
|
||
http://62.204.41.150/edd20096ecef326d.php0
|
unknown
|
||
http://upx.sf.net
|
unknown
|
||
http://62.204.41.150/edd20096ecef326d.phpFd
|
unknown
|
||
http://62.204.41.150/J
|
unknown
|
||
http://62.204.41.150/edd20096ecef326d.phpnd
|
unknown
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
s-part-0017.t-0009.fb-t-msedge.net
|
13.107.253.45
|
||
fp2e7a.wpc.phicdn.net
|
192.229.221.95
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
62.204.41.150
|
unknown
|
United Kingdom
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
ProgramId
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
FileId
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
LowerCaseLongPath
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
LongPathHash
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
Name
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
OriginalFileName
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
Publisher
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
Version
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
BinFileVersion
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
BinaryType
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
ProductName
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
ProductVersion
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
LinkDate
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
BinProductVersion
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
AppxPackageFullName
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
Size
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
Language
|
||
\REGISTRY\A\{cc8cee25-4004-a638-e753-d565b1085cc2}\Root\InventoryApplicationFile\5rvhexjlcx.exe|a69ddf7f5a62a669
|
Usn
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
ClockTimeSeconds
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
TickCount
|
There are 11 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
5AD000
|
unkown
|
page read and write
|
||
400000
|
remote allocation
|
page execute and read and write
|
||
1667000
|
heap
|
page read and write
|
||
163E000
|
stack
|
page read and write
|
||
16B8000
|
heap
|
page read and write
|
||
15DE000
|
stack
|
page read and write
|
||
17CE000
|
stack
|
page read and write
|
||
64A000
|
remote allocation
|
page execute and read and write
|
||
D40000
|
heap
|
page read and write
|
||
AC0000
|
heap
|
page read and write
|
||
4B1000
|
remote allocation
|
page execute and read and write
|
||
30CF000
|
stack
|
page read and write
|
||
16A7000
|
heap
|
page read and write
|
||
BA0000
|
heap
|
page read and write
|
||
16C4000
|
heap
|
page read and write
|
||
580000
|
unkown
|
page readonly
|
||
581000
|
unkown
|
page execute read
|
||
13B0000
|
heap
|
page read and write
|
||
1B59D000
|
stack
|
page read and write
|
||
1B69D000
|
stack
|
page read and write
|
||
1490000
|
heap
|
page read and write
|
||
88D000
|
stack
|
page read and write
|
||
98D000
|
stack
|
page read and write
|
||
65C000
|
remote allocation
|
page execute and read and write
|
||
5FC000
|
unkown
|
page readonly
|
||
581000
|
unkown
|
page execute read
|
||
1B54F000
|
stack
|
page read and write
|
||
125C000
|
stack
|
page read and write
|
||
1B29E000
|
stack
|
page read and write
|
||
1824000
|
heap
|
page read and write
|
||
14DE000
|
stack
|
page read and write
|
||
1660000
|
heap
|
page read and write
|
||
D4E000
|
heap
|
page read and write
|
||
15E0000
|
heap
|
page read and write
|
||
1770000
|
heap
|
page read and write
|
||
1495000
|
heap
|
page read and write
|
||
180E000
|
stack
|
page read and write
|
||
4BD000
|
remote allocation
|
page execute and read and write
|
||
4E2000
|
remote allocation
|
page execute and read and write
|
||
B4E000
|
stack
|
page read and write
|
||
5AD000
|
unkown
|
page write copy
|
||
1B2DE000
|
stack
|
page read and write
|
||
1B44E000
|
stack
|
page read and write
|
||
5A3000
|
unkown
|
page readonly
|
||
D57000
|
heap
|
page read and write
|
||
5A3000
|
unkown
|
page readonly
|
||
1B19F000
|
stack
|
page read and write
|
||
5FC000
|
unkown
|
page readonly
|
||
5FA000
|
unkown
|
page execute and read and write
|
||
135E000
|
stack
|
page read and write
|
||
D4A000
|
heap
|
page read and write
|
||
1B3DE000
|
stack
|
page read and write
|
||
1355000
|
stack
|
page read and write
|
||
9E0000
|
heap
|
page read and write
|
||
B0E000
|
stack
|
page read and write
|
||
580000
|
unkown
|
page readonly
|
||
5FB000
|
unkown
|
page read and write
|
||
F3F000
|
stack
|
page read and write
|
||
CAF000
|
stack
|
page read and write
|
||
1820000
|
heap
|
page read and write
|
There are 50 hidden memdumps, click here to show them.