Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
gMkw55jZRs.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_gMkw55jZRs.exe_8cec7857605b1b9ea06233d5661b9a9bf281fe_a110c5cc_ab3421fd-c012-44aa-ab3d-d3e1dfcf1adf\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_gMkw55jZRs.exe_99704b6c154fde80455fffd9f086c8b9b4127d83_a110c5cc_0c6b5c60-4ac6-4e44-ac1f-2a2fb2418ef7\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_gMkw55jZRs.exe_99704b6c154fde80455fffd9f086c8b9b4127d83_a110c5cc_1312c3d4-f70f-405a-8120-192c9cd31924\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_gMkw55jZRs.exe_99704b6c154fde80455fffd9f086c8b9b4127d83_a110c5cc_64249368-ede8-4fed-b3f8-033e7657138e\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_gMkw55jZRs.exe_99704b6c154fde80455fffd9f086c8b9b4127d83_a110c5cc_77323aed-aeb5-4f01-9e6c-53727c6a9718\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_gMkw55jZRs.exe_99704b6c154fde80455fffd9f086c8b9b4127d83_a110c5cc_9a3b9c5e-e045-4a05-b989-938c2a9e4c5d\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_gMkw55jZRs.exe_99704b6c154fde80455fffd9f086c8b9b4127d83_a110c5cc_d96f8c12-cab8-4e8c-b07f-3fb59bd24969\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER81D.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 06:13:06 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CA.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FA.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC09.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 06:12:59 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERED04.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERED25.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREED8.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 06:12:59 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1A8.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF207.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3D9.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 06:13:00 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF448.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF497.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF61B.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 06:13:01 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF67A.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF68B.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF82F.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 06:13:02 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8BC.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8DD.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBF7.tmp.dmp
|
Mini DuMP crash report, 14 streams, Tue Oct 8 06:13:03 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC66.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC96.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 20 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\gMkw55jZRs.exe
|
"C:\Users\user\Desktop\gMkw55jZRs.exe"
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 804
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 824
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 856
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 864
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 980
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 1124
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 1060
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://62.122.184.144/
|
62.122.184.144
|
||
http://62.122.184.144/f88d87a7e087e100.php
|
62.122.184.144
|
||
http://62.122.184.144
|
unknown
|
||
http://62.122.184.144/f88d87a7e087e100.php9
|
unknown
|
||
http://62.122.184.144/S
|
unknown
|
||
http://upx.sf.net
|
unknown
|
||
http://62.122.184.144/f88d87a7e087e100.phpn
|
unknown
|
||
http://62.122.184.144/f88d87a7e087e100.phpb
|
unknown
|
||
http://62.122.184.144/f88d87a7e087e100.php/
|
unknown
|
||
http://62.122.184.144/f88d87a7e087e100.phpF
|
unknown
|
||
http://62.122.184.144F
|
unknown
|
There are 1 hidden URLs, click here to show them.
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
62.122.184.144
|
unknown
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
ProgramId
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
FileId
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
LowerCaseLongPath
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
LongPathHash
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
Name
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
OriginalFileName
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
Publisher
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
Version
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
BinFileVersion
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
BinaryType
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
ProductName
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
ProductVersion
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
LinkDate
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
BinProductVersion
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
AppxPackageFullName
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
Size
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
Language
|
||
\REGISTRY\A\{4af327e4-2966-419d-785e-c4807fd38530}\Root\InventoryApplicationFile\gmkw55jzrs.exe|800c6d8bee7ebf0d
|
Usn
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
ClockTimeSeconds
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
TickCount
|
There are 11 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
9D4000
|
heap
|
page read and write
|
||
2330000
|
direct allocation
|
page read and write
|
||
400000
|
unkown
|
page execute and read and write
|
||
910000
|
direct allocation
|
page execute and read and write
|
||
23DD000
|
stack
|
page read and write
|
||
990000
|
heap
|
page read and write
|
||
9F9000
|
heap
|
page read and write
|
||
19D000
|
stack
|
page read and write
|
||
65C000
|
unkown
|
page execute and read and write
|
||
2400000
|
heap
|
page read and write
|
||
99E000
|
heap
|
page read and write
|
||
A29000
|
heap
|
page read and write
|
||
1A9DD000
|
stack
|
page read and write
|
||
1AA3D000
|
stack
|
page read and write
|
||
434000
|
unkown
|
page write copy
|
||
4BD000
|
unkown
|
page execute and read and write
|
||
A0D000
|
heap
|
page read and write
|
||
1A79D000
|
stack
|
page read and write
|
||
2540000
|
heap
|
page read and write
|
||
1A61E000
|
stack
|
page read and write
|
||
7CE000
|
stack
|
page read and write
|
||
432000
|
unkown
|
page readonly
|
||
1AC5F000
|
heap
|
page read and write
|
||
1AB67000
|
heap
|
page read and write
|
||
1A8DD000
|
stack
|
page read and write
|
||
195000
|
stack
|
page read and write
|
||
9C000
|
stack
|
page read and write
|
||
1A75E000
|
stack
|
page read and write
|
||
800000
|
heap
|
page read and write
|
||
64A000
|
unkown
|
page execute and read and write
|
||
1AC5B000
|
heap
|
page read and write
|
||
7F0000
|
heap
|
page read and write
|
||
805000
|
heap
|
page read and write
|
||
9AA000
|
heap
|
page execute and read and write
|
||
512000
|
unkown
|
page readonly
|
||
401000
|
unkown
|
page execute read
|
||
1A65D000
|
stack
|
page read and write
|
||
1AB3E000
|
stack
|
page read and write
|
||
B8F000
|
stack
|
page read and write
|
||
A30000
|
heap
|
page read and write
|
||
400000
|
unkown
|
page readonly
|
||
250E000
|
stack
|
page read and write
|
||
78E000
|
stack
|
page read and write
|
||
A2E000
|
heap
|
page read and write
|
||
740000
|
heap
|
page read and write
|
||
2403000
|
heap
|
page read and write
|
||
2340000
|
heap
|
page read and write
|
||
4E2000
|
unkown
|
page execute and read and write
|
||
999000
|
heap
|
page read and write
|
||
4B1000
|
unkown
|
page execute and read and write
|
||
1A89E000
|
stack
|
page read and write
|
||
90F000
|
stack
|
page read and write
|
||
239D000
|
stack
|
page read and write
|
||
1F0000
|
heap
|
page read and write
|
There are 44 hidden memdumps, click here to show them.