Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
HS0ELYUCh9.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HS0ELYUCh9.exe_1acf131be8f1b0612fdd819233887b5ff46_169523e3_db24732d-3337-4c78-a49f-4a97d241e36d\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HS0ELYUCh9.exe_9f11afaa81eda390684d3f6b288aaf93f25d3d1_169523e3_c7d0e0d5-f201-42c2-ab50-ad248b7153f6\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE273.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Oct 10 16:12:00 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2A3.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2C3.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE438.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Oct 10 16:12:01 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE487.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4B7.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\HS0ELYUCh9.exe
|
"C:\Users\user\Desktop\HS0ELYUCh9.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 196
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 200
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://gainesville.craigslist.org/
|
unknown
|
||
|
https://www.dropbox.com/sh/t50csfyj0kcqm9o/AACYbjZ5mPJBQETIuF7DeZVma?dl=0
|
unknown
|
||
|
https://theconversation.com/us/technology
|
unknown
|
||
|
https://www.virustotal.com/
|
unknown
|
||
|
http://www.trueconnection.org/64/favicon-red.ico
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
http://www.efficiencyhelp.com/ra/
|
unknown
|
||
|
http://www.godwingreenroofs.com
|
unknown
|
||
|
http://192.168.1.1
|
unknown
|
||
|
https://autohotkey.com/logos/
|
unknown
|
||
|
https://www.dropbox.com/s/1rz25xk5ta1de01/Songs-of-the-Righteous.doc?dl=00
|
unknown
|
||
|
https://hello.freeconference.com/conf/call/2540897
|
unknown
|
||
|
https://talk2righteous.ryver.com/index.html#forums/1094233
|
unknown
|
||
|
https://www.youtube.com/watch?v=5Da2qVntopk
|
unknown
|
||
|
http://turtlecreekstore.weebly.com/
|
unknown
|
||
|
https://alfred.camera/webapp/
|
unknown
|
||
|
https://craigslist.org/
|
unknown
|
||
|
http://www.trueconnection.org/BibleStudies/John-Jacobs-Power-Force.htm
|
unknown
|
||
|
http://www.trueconnection.org/64/favicon.ico
|
unknown
|
||
|
https://d.docs.live.net/8dc2922513253ddd/Phone-Doc-Sync/Ph2PC.rtf
|
unknown
|
||
|
https://www2.deloitte.com/insights/us/en/focus/tech-trends/2018/no-collar-workforce.html
|
unknown
|
||
|
https://www.youtube.com/watch?v=sgC3JqQcT-8
|
unknown
|
||
|
https://www.youtube.com/results?search_query=connect
|
unknown
|
||
|
https://www.dropbox.com/history/Scripts/Josiahs-Master-Script.ahk?_subject_uid=233633894&undelete=1
|
unknown
|
||
|
http://www.trueconnection.org/mPRL
|
unknown
|
There are 15 hidden URLs, click here to show them.
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
ProgramId
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
FileId
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
LongPathHash
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
Name
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
OriginalFileName
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
Publisher
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
Version
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
BinFileVersion
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
BinaryType
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
ProductName
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
ProductVersion
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
LinkDate
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
BinProductVersion
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
Size
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
Language
|
||
|
\REGISTRY\A\{5830cdb6-5c5a-149b-fa26-3ead65d1243f}\Root\InventoryApplicationFile\hs0elyuch9.exe|68ed21d23939f023
|
Usn
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
ClockTimeSeconds
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
TickCount
|
There are 11 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
4CE000
|
unkown
|
page readonly
|
||
|
400000
|
unkown
|
page readonly
|
||
|
9DE000
|
stack
|
page read and write
|
||
|
4CE000
|
unkown
|
page readonly
|
||
|
BB0000
|
heap
|
page read and write
|
||
|
5CB000
|
unkown
|
page readonly
|
||
|
A40000
|
heap
|
page read and write
|
||
|
100000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
401000
|
unkown
|
page execute read
|
||
|
401000
|
unkown
|
page execute read
|
||
|
5CB000
|
unkown
|
page readonly
|
||
|
9D000
|
stack
|
page read and write
|
There are 3 hidden memdumps, click here to show them.