Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
G9e272AEyo.exe
|
PE32+ executable (console) x86-64, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_G9e272AEyo.exe_38d8115434c1d6f4526792875acb23d414_949d7e63_24e1ab57-b402-426d-a902-b7bdba8ffb82\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CEA.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sun Oct 20 19:10:04 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DD6.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E35.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
||
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\G9e272AEyo.exe
|
"C:\Users\user\Desktop\G9e272AEyo.exe"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 6580 -s 1004
|
There are 26 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://upx.sf.net
|
unknown
|
||
http://185.101.104.122/aimhvcibronkzops.exe
|
unknown
|
||
https://keyauth.win/api/1.1/ace
|
unknown
|
||
http://185.101.104.122/aimhvciforabronkz.exeC:
|
unknown
|
||
https://keyauth.win/api/1.2/s
|
unknown
|
||
http://185.101.104.122/aimhvciforabronkz.exe
|
unknown
|
||
https://curl.haxx.se/docs/http-cookies.html
|
unknown
|
||
https://curl.haxx.se/docs/http-cookies.html#
|
unknown
|
||
https://keyauth.win/api/1.1/ce
|
unknown
|
||
https://keyauth.win/api/1.2/
|
unknown
|
||
https://keyauth.win/api/1.1/
|
104.26.1.5
|
||
http://185.101.104.122/aimhvcibronkzops.exeC:
|
unknown
|
There are 2 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
keyauth.win
|
104.26.1.5
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
104.26.1.5
|
keyauth.win
|
United States
|
||
127.0.0.1
|
unknown
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
ProgramId
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
FileId
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
LowerCaseLongPath
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
LongPathHash
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
Name
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
OriginalFileName
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
Publisher
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
Version
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
BinFileVersion
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
BinaryType
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
ProductName
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
ProductVersion
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
LinkDate
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
BinProductVersion
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
AppxPackageFullName
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
Size
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
Language
|
||
\REGISTRY\A\{6747adb6-5cee-5536-57bc-9ffdfecfb01a}\Root\InventoryApplicationFile\g9e272aeyo.exe|1bc11a7b86afb75e
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
166526D0000
|
heap
|
page read and write
|
||
257A8D1B000
|
heap
|
page read and write
|
||
16C277E000
|
stack
|
page read and write
|
||
257A8D10000
|
heap
|
page read and write
|
||
1BD87E80000
|
heap
|
page read and write
|
||
257AAA90000
|
trusted library allocation
|
page read and write
|
||
1BD87DA0000
|
heap
|
page read and write
|
||
257A73EC000
|
heap
|
page read and write
|
||
38C8BDE000
|
stack
|
page read and write
|
||
5ED70FE000
|
stack
|
page read and write
|
||
7FF648339000
|
unkown
|
page readonly
|
||
1452FDF0000
|
heap
|
page read and write
|
||
5ED71FE000
|
stack
|
page read and write
|
||
5ED73FF000
|
stack
|
page read and write
|
||
7FF648321000
|
unkown
|
page readonly
|
||
257AA553000
|
heap
|
page read and write
|
||
7FF6482C0000
|
unkown
|
page readonly
|
||
257A8D20000
|
heap
|
page read and write
|
||
257A743F000
|
heap
|
page read and write
|
||
257A7452000
|
heap
|
page read and write
|
||
23017D000
|
stack
|
page read and write
|
||
17E01AF5000
|
heap
|
page read and write
|
||
2167A308000
|
heap
|
page read and write
|
||
257A7438000
|
heap
|
page read and write
|
||
257A7448000
|
heap
|
page read and write
|
||
1BD87EF0000
|
heap
|
page read and write
|
||
1D3CBFD000
|
stack
|
page read and write
|
||
17E01C10000
|
heap
|
page read and write
|
||
257A7390000
|
remote allocation
|
page read and write
|
||
388F87D000
|
stack
|
page read and write
|
||
2167A2E0000
|
heap
|
page read and write
|
||
17FD2640000
|
heap
|
page read and write
|
||
2167A550000
|
heap
|
page read and write
|
||
1452FD80000
|
heap
|
page read and write
|
||
257A741D000
|
heap
|
page read and write
|
||
23047E000
|
stack
|
page read and write
|
||
17FD2660000
|
heap
|
page read and write
|
||
2167A555000
|
heap
|
page read and write
|
||
3DE9A7F000
|
stack
|
page read and write
|
||
7FF6482C1000
|
unkown
|
page execute read
|
||
257A7444000
|
heap
|
page read and write
|
||
17E01AF0000
|
heap
|
page read and write
|
||
17E01B10000
|
heap
|
page read and write
|
||
17FD26D8000
|
heap
|
page read and write
|
||
7FF648338000
|
unkown
|
page write copy
|
||
17FD2630000
|
heap
|
page read and write
|
||
16C287E000
|
stack
|
page read and write
|
||
1D3CFFF000
|
stack
|
page read and write
|
||
1452FDF7000
|
heap
|
page read and write
|
||
17E01C30000
|
heap
|
page read and write
|
||
257A7418000
|
heap
|
page read and write
|
||
1452FFD5000
|
heap
|
page read and write
|
||
7FF6482C0000
|
unkown
|
page readonly
|
||
7FF6482C1000
|
unkown
|
page execute read
|
||
23057E000
|
stack
|
page read and write
|
||
17FD29F5000
|
heap
|
page read and write
|
||
7FF648321000
|
unkown
|
page readonly
|
||
1D3CEFE000
|
stack
|
page read and write
|
||
257A7390000
|
remote allocation
|
page read and write
|
||
1452FC80000
|
heap
|
page read and write
|
||
38C8ADD000
|
stack
|
page read and write
|
||
257A7444000
|
heap
|
page read and write
|
||
257AA550000
|
heap
|
page read and write
|
||
2167A300000
|
heap
|
page read and write
|
||
166527D5000
|
heap
|
page read and write
|
||
17FD29F0000
|
heap
|
page read and write
|
||
38C8E7E000
|
unkown
|
page readonly
|
||
257A746F000
|
heap
|
page read and write
|
||
166527E0000
|
heap
|
page read and write
|
||
257A7340000
|
heap
|
page read and write
|
||
257A7448000
|
heap
|
page read and write
|
||
257A7448000
|
heap
|
page read and write
|
||
257A7444000
|
heap
|
page read and write
|
||
17FD26D0000
|
heap
|
page read and write
|
||
257A746F000
|
heap
|
page read and write
|
||
1BD87F88000
|
heap
|
page read and write
|
||
16652828000
|
heap
|
page read and write
|
||
388FA7E000
|
stack
|
page read and write
|
||
1BD87F80000
|
heap
|
page read and write
|
||
257A8C80000
|
heap
|
page read and write
|
||
257A7260000
|
heap
|
page read and write
|
||
257A8D15000
|
heap
|
page read and write
|
||
1452FD60000
|
heap
|
page read and write
|
||
1452FFD0000
|
heap
|
page read and write
|
||
257A742D000
|
heap
|
page read and write
|
||
5ED72FE000
|
stack
|
page read and write
|
||
1BD87EF5000
|
heap
|
page read and write
|
||
257A7390000
|
remote allocation
|
page read and write
|
||
257A743E000
|
heap
|
page read and write
|
||
17E01B19000
|
heap
|
page read and write
|
||
257A7370000
|
heap
|
page read and write
|
||
2167A2B0000
|
heap
|
page read and write
|
||
257A73E9000
|
heap
|
page read and write
|
||
5ED6FFE000
|
stack
|
page read and write
|
||
16652820000
|
heap
|
page read and write
|
||
257A7449000
|
heap
|
page read and write
|
||
17E01A00000
|
heap
|
page read and write
|
||
257A73E0000
|
heap
|
page read and write
|
||
5ED6EFB000
|
stack
|
page read and write
|
||
7FF648338000
|
unkown
|
page read and write
|
||
2167A2C0000
|
heap
|
page read and write
|
||
38C8EFE000
|
stack
|
page read and write
|
||
166527B0000
|
heap
|
page read and write
|
||
257A746F000
|
heap
|
page read and write
|
||
1BD87EA0000
|
heap
|
page read and write
|
||
257A7467000
|
heap
|
page read and write
|
||
7FF648339000
|
unkown
|
page readonly
|
||
166527D0000
|
heap
|
page read and write
|
||
3DE970D000
|
stack
|
page read and write
|
||
388F97F000
|
stack
|
page read and write
|
||
16C267D000
|
stack
|
page read and write
|
There are 101 hidden memdumps, click here to show them.