Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
1f13Cs1ogc.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1f13Cs1ogc.exe_d6c2601472a1e2329a283caeddd13e21ba0c439_01cc4f56_d1e131fd-d66e-4158-87c7-730795a95caa\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1B3.tmp.dmp
|
Mini DuMP crash report, 14 streams, Mon Oct 7 16:46:05 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD221.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD261.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\1f13Cs1ogc.exe
|
"C:\Users\user\Desktop\1f13Cs1ogc.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 288
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://62.204.41.150
|
unknown
|
||
http://62.204.41.150/
|
62.204.41.150
|
||
http://62.204.41.150/edd20096ecef326d.php
|
62.204.41.150
|
||
http://upx.sf.net
|
unknown
|
||
http://62.204.41.150t
|
unknown
|
||
http://62.204.41.150/bJ
|
unknown
|
||
http://62.204.41.150/edd20096ecef326d.php5
|
unknown
|
||
http://62.204.41.150/j
|
unknown
|
||
http://62.204.41.150~
|
unknown
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
bg.microsoft.map.fastly.net
|
199.232.214.172
|
||
s-part-0036.t-0009.t-msedge.net
|
13.107.246.64
|
||
fp2e7a.wpc.phicdn.net
|
192.229.221.95
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
62.204.41.150
|
unknown
|
United Kingdom
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
ProgramId
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
FileId
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
LowerCaseLongPath
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
LongPathHash
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
Name
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
OriginalFileName
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
Publisher
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
Version
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
BinFileVersion
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
BinaryType
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
ProductName
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
ProductVersion
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
LinkDate
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
BinProductVersion
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
AppxPackageFullName
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
Size
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
Language
|
||
\REGISTRY\A\{e03a741a-8fba-86ad-d523-ebaf8bc9e1c0}\Root\InventoryApplicationFile\1f13cs1ogc.exe|a05eec7ca06e5254
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
100D000
|
unkown
|
page read and write
|
||
400000
|
remote allocation
|
page execute and read and write
|
||
E07000
|
heap
|
page read and write
|
||
16CF000
|
stack
|
page read and write
|
||
11BD000
|
stack
|
page read and write
|
||
1003000
|
unkown
|
page readonly
|
||
FFF000
|
stack
|
page read and write
|
||
D7D000
|
stack
|
page read and write
|
||
105A000
|
unkown
|
page execute and read and write
|
||
D20000
|
heap
|
page read and write
|
||
F9E000
|
stack
|
page read and write
|
||
D25000
|
heap
|
page read and write
|
||
1AD9F000
|
stack
|
page read and write
|
||
64A000
|
remote allocation
|
page execute and read and write
|
||
1AA5F000
|
stack
|
page read and write
|
||
FE1000
|
unkown
|
page execute read
|
||
E7D000
|
stack
|
page read and write
|
||
E47000
|
heap
|
page read and write
|
||
E00000
|
heap
|
page read and write
|
||
DC0000
|
heap
|
page read and write
|
||
1118000
|
heap
|
page read and write
|
||
1AB5C000
|
stack
|
page read and write
|
||
C00000
|
heap
|
page read and write
|
||
FE0000
|
unkown
|
page readonly
|
||
99E000
|
stack
|
page read and write
|
||
1AEFE000
|
stack
|
page read and write
|
||
995000
|
stack
|
page read and write
|
||
F50000
|
heap
|
page read and write
|
||
65C000
|
remote allocation
|
page execute and read and write
|
||
110E000
|
heap
|
page read and write
|
||
1AFFE000
|
stack
|
page read and write
|
||
89C000
|
stack
|
page read and write
|
||
11E0000
|
heap
|
page read and write
|
||
E2C000
|
heap
|
page read and write
|
||
1AC9E000
|
stack
|
page read and write
|
||
117E000
|
stack
|
page read and write
|
||
ED0000
|
heap
|
page read and write
|
||
105C000
|
unkown
|
page readonly
|
||
105C000
|
unkown
|
page readonly
|
||
105B000
|
unkown
|
page read and write
|
||
D7D000
|
stack
|
page read and write
|
||
4BD000
|
remote allocation
|
page execute and read and write
|
||
EE0000
|
heap
|
page read and write
|
||
D30000
|
heap
|
page read and write
|
||
E64000
|
heap
|
page read and write
|
||
1100000
|
heap
|
page read and write
|
||
F2E000
|
stack
|
page read and write
|
||
15CF000
|
stack
|
page read and write
|
||
110A000
|
heap
|
page read and write
|
||
11E4000
|
heap
|
page read and write
|
||
4B1000
|
remote allocation
|
page execute and read and write
|
||
1AC5D000
|
stack
|
page read and write
|
||
10FF000
|
stack
|
page read and write
|
||
D1E000
|
stack
|
page read and write
|
||
1ADB0000
|
heap
|
page read and write
|
||
1003000
|
unkown
|
page readonly
|
||
4E2000
|
remote allocation
|
page execute and read and write
|
||
113E000
|
stack
|
page read and write
|
||
100D000
|
unkown
|
page write copy
|
||
FE1000
|
unkown
|
page execute read
|
||
FE0000
|
unkown
|
page readonly
|
There are 51 hidden memdumps, click here to show them.