Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
YLshJwBcrT.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_13641b0f-c065-4d0c-ba01-485637729b5d\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_1b0316bc-655b-4c0e-b2b1-600653fef662\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_9cdb16ee-371a-42ec-9589-4bd8b71984c9\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_dca337fc-e57a-4f16-9843-9b680bc1405c\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_e8acf310-11c0-438e-b1ec-990fed94638b\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_eb2ffbac-6f50-4acd-8c1e-b0b3d3b0f63f\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_828a6db89a1c4381b47c175eeee93cadfc17725f_c3c1b60d_7a321e85-eb8d-45a0-ba19-a8fb1f87f369\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER386B.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:05 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3937.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3967.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B88.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:06 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DFA.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E39.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FDD.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:07 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER407B.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER40AA.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER426E.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:08 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42FB.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER433B.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER452D.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:08 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER45DA.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4609.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER49A1.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:10 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A1F.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A40.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5615.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:13 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5674.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5694.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 20 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\YLshJwBcrT.exe
|
"C:\Users\user\Desktop\YLshJwBcrT.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 812
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 820
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 812
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 860
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 984
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 1008
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 1300
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://62.204.41.150
|
unknown
|
|
|
|
http://62.204.41.150/
|
62.204.41.150
|
|
|
|
http://62.204.41.150/e
|
unknown
|
|
|
|
http://62.204.41.150/edd20096ecef326d.php
|
62.204.41.150
|
|
|
|
http://62.204.41.150/edd20096ecef326d.phpS
|
unknown
|
||
|
http://62.204.41.150/edd20096ecef326d.phpQ
|
unknown
|
||
|
http://62.204.41.1503
|
unknown
|
||
|
http://62.204.41.150/edd20096ecef326d.php-
|
unknown
|
||
|
http://62.204.41.150/edd20096ecef326d.phpt
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
http://62.204.41.150/edd20096ecef326d.phpI
|
unknown
|
||
|
http://62.204.41.150/edd20096ecef326d.phpG
|
unknown
|
||
|
http://62.204.41.150/edd20096ecef326d.phpE
|
unknown
|
There are 3 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
62.204.41.150
|
unknown
|
United Kingdom
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
ProgramId
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
FileId
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
LongPathHash
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Name
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
OriginalFileName
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Publisher
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Version
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
BinFileVersion
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
BinaryType
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
ProductName
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
ProductVersion
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
LinkDate
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
BinProductVersion
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Size
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Language
|
||
|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
88A000
|
heap
|
page read and write
|
|
|
|
22E0000
|
direct allocation
|
page execute and read and write
|
|
|
|
2330000
|
direct allocation
|
page read and write
|
|
|
|
400000
|
unkown
|
page execute and read and write
|
|
|
|
1AB3E000
|
stack
|
page read and write
|
||
|
775000
|
heap
|
page read and write
|
||
|
23ED000
|
stack
|
page read and write
|
||
|
84B000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
1A7AD000
|
stack
|
page read and write
|
||
|
1AB69000
|
heap
|
page read and write
|
||
|
1A76E000
|
stack
|
page read and write
|
||
|
1AC61000
|
heap
|
page read and write
|
||
|
7FE000
|
stack
|
page read and write
|
||
|
434000
|
unkown
|
page write copy
|
||
|
432000
|
unkown
|
page readonly
|
||
|
400000
|
unkown
|
page readonly
|
||
|
8BE000
|
heap
|
page read and write
|
||
|
9C000
|
stack
|
page read and write
|
||
|
1AC5D000
|
heap
|
page read and write
|
||
|
883000
|
heap
|
page read and write
|
||
|
A3F000
|
stack
|
page read and write
|
||
|
770000
|
heap
|
page read and write
|
||
|
23A0000
|
heap
|
page read and write
|
||
|
B3F000
|
stack
|
page read and write
|
||
|
84E000
|
heap
|
page read and write
|
||
|
1A66E000
|
stack
|
page read and write
|
||
|
238D000
|
stack
|
page read and write
|
||
|
2473000
|
heap
|
page read and write
|
||
|
1A8AE000
|
stack
|
page read and write
|
||
|
840000
|
heap
|
page read and write
|
||
|
740000
|
heap
|
page read and write
|
||
|
1A9ED000
|
stack
|
page read and write
|
||
|
1A56E000
|
stack
|
page read and write
|
||
|
85A000
|
heap
|
page execute and read and write
|
||
|
242D000
|
stack
|
page read and write
|
||
|
8C4000
|
heap
|
page read and write
|
||
|
4BD000
|
unkown
|
page execute and read and write
|
||
|
4B1000
|
unkown
|
page execute and read and write
|
||
|
19D000
|
stack
|
page read and write
|
||
|
2490000
|
heap
|
page read and write
|
||
|
7BE000
|
stack
|
page read and write
|
||
|
8DA000
|
heap
|
page read and write
|
||
|
4E2000
|
unkown
|
page execute and read and write
|
||
|
2330000
|
heap
|
page read and write
|
||
|
2470000
|
heap
|
page read and write
|
||
|
1F0000
|
heap
|
page read and write
|
||
|
1A8ED000
|
stack
|
page read and write
|
||
|
195000
|
stack
|
page read and write
|
||
|
64A000
|
unkown
|
page execute and read and write
|
||
|
8AB000
|
heap
|
page read and write
|
||
|
1AA3D000
|
stack
|
page read and write
|
||
|
512000
|
unkown
|
page readonly
|
||
|
65C000
|
unkown
|
page execute and read and write
|
There are 44 hidden memdumps, click here to show them.