Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
YLshJwBcrT.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_13641b0f-c065-4d0c-ba01-485637729b5d\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_1b0316bc-655b-4c0e-b2b1-600653fef662\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_9cdb16ee-371a-42ec-9589-4bd8b71984c9\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_dca337fc-e57a-4f16-9843-9b680bc1405c\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_e8acf310-11c0-438e-b1ec-990fed94638b\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_eb2ffbac-6f50-4acd-8c1e-b0b3d3b0f63f\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_828a6db89a1c4381b47c175eeee93cadfc17725f_c3c1b60d_7a321e85-eb8d-45a0-ba19-a8fb1f87f369\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER386B.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:05 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3937.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3967.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B88.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:06 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DFA.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E39.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FDD.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:07 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER407B.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER40AA.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER426E.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:08 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42FB.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER433B.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER452D.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:08 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER45DA.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4609.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER49A1.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:10 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A1F.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A40.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5615.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:13 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5674.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5694.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 20 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\YLshJwBcrT.exe
|
"C:\Users\user\Desktop\YLshJwBcrT.exe"
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 812
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 820
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 812
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 860
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 984
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 1008
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 1300
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://62.204.41.150
|
unknown
|
||
http://62.204.41.150/
|
62.204.41.150
|
||
http://62.204.41.150/e
|
unknown
|
||
http://62.204.41.150/edd20096ecef326d.php
|
62.204.41.150
|
||
http://62.204.41.150/edd20096ecef326d.phpS
|
unknown
|
||
http://62.204.41.150/edd20096ecef326d.phpQ
|
unknown
|
||
http://62.204.41.1503
|
unknown
|
||
http://62.204.41.150/edd20096ecef326d.php-
|
unknown
|
||
http://62.204.41.150/edd20096ecef326d.phpt
|
unknown
|
||
http://upx.sf.net
|
unknown
|
||
http://62.204.41.150/edd20096ecef326d.phpI
|
unknown
|
||
http://62.204.41.150/edd20096ecef326d.phpG
|
unknown
|
||
http://62.204.41.150/edd20096ecef326d.phpE
|
unknown
|
There are 3 hidden URLs, click here to show them.
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
62.204.41.150
|
unknown
|
United Kingdom
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
ProgramId
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
FileId
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
LowerCaseLongPath
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
LongPathHash
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Name
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
OriginalFileName
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Publisher
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Version
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
BinFileVersion
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
BinaryType
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
ProductName
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
ProductVersion
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
LinkDate
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
BinProductVersion
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
AppxPackageFullName
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Size
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Language
|
||
\REGISTRY\A\{1b3a9a8b-8842-d3ae-cc39-46057547271e}\Root\InventoryApplicationFile\ylshjwbcrt.exe|8905c3e726e8dad6
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
88A000
|
heap
|
page read and write
|
||
22E0000
|
direct allocation
|
page execute and read and write
|
||
2330000
|
direct allocation
|
page read and write
|
||
400000
|
unkown
|
page execute and read and write
|
||
1AB3E000
|
stack
|
page read and write
|
||
775000
|
heap
|
page read and write
|
||
23ED000
|
stack
|
page read and write
|
||
84B000
|
heap
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
1A7AD000
|
stack
|
page read and write
|
||
1AB69000
|
heap
|
page read and write
|
||
1A76E000
|
stack
|
page read and write
|
||
1AC61000
|
heap
|
page read and write
|
||
7FE000
|
stack
|
page read and write
|
||
434000
|
unkown
|
page write copy
|
||
432000
|
unkown
|
page readonly
|
||
400000
|
unkown
|
page readonly
|
||
8BE000
|
heap
|
page read and write
|
||
9C000
|
stack
|
page read and write
|
||
1AC5D000
|
heap
|
page read and write
|
||
883000
|
heap
|
page read and write
|
||
A3F000
|
stack
|
page read and write
|
||
770000
|
heap
|
page read and write
|
||
23A0000
|
heap
|
page read and write
|
||
B3F000
|
stack
|
page read and write
|
||
84E000
|
heap
|
page read and write
|
||
1A66E000
|
stack
|
page read and write
|
||
238D000
|
stack
|
page read and write
|
||
2473000
|
heap
|
page read and write
|
||
1A8AE000
|
stack
|
page read and write
|
||
840000
|
heap
|
page read and write
|
||
740000
|
heap
|
page read and write
|
||
1A9ED000
|
stack
|
page read and write
|
||
1A56E000
|
stack
|
page read and write
|
||
85A000
|
heap
|
page execute and read and write
|
||
242D000
|
stack
|
page read and write
|
||
8C4000
|
heap
|
page read and write
|
||
4BD000
|
unkown
|
page execute and read and write
|
||
4B1000
|
unkown
|
page execute and read and write
|
||
19D000
|
stack
|
page read and write
|
||
2490000
|
heap
|
page read and write
|
||
7BE000
|
stack
|
page read and write
|
||
8DA000
|
heap
|
page read and write
|
||
4E2000
|
unkown
|
page execute and read and write
|
||
2330000
|
heap
|
page read and write
|
||
2470000
|
heap
|
page read and write
|
||
1F0000
|
heap
|
page read and write
|
||
1A8ED000
|
stack
|
page read and write
|
||
195000
|
stack
|
page read and write
|
||
64A000
|
unkown
|
page execute and read and write
|
||
8AB000
|
heap
|
page read and write
|
||
1AA3D000
|
stack
|
page read and write
|
||
512000
|
unkown
|
page readonly
|
||
65C000
|
unkown
|
page execute and read and write
|
There are 44 hidden memdumps, click here to show them.