Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
bC7vK74a5a.exe
|
PE32+ executable (console) x86-64, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bC7vK74a5a.exe_3d1df02cfb4a4a20b131a6e5094572abda3813_f313f8e1_86d6d614-7dbd-4c82-b5d8-5051dfa7ebd8\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E54.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sun Oct 20 19:28:31 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F4F.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F8E.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
||
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\bC7vK74a5a.exe
|
"C:\Users\user\Desktop\bC7vK74a5a.exe"
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -pss -s 460 -p 5544 -ip 5544
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 5544 -s 996
|
There are 27 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://upx.sf.net
|
unknown
|
||
https://keyauth.win/api/1.2/EL=6
|
unknown
|
||
http://185.101.104.122/aimhvcibronkzops.exe
|
unknown
|
||
https://keyauth.win/api/1.1/ace
|
unknown
|
||
http://185.101.104.122/aimhvciforabronkz.exeC:
|
unknown
|
||
http://185.101.104.122/aimhvciforabronkz.exe
|
unknown
|
||
https://curl.haxx.se/docs/http-cookies.html
|
unknown
|
||
https://curl.haxx.se/docs/http-cookies.html#
|
unknown
|
||
https://keyauth.win/api/1.2/
|
unknown
|
||
https://keyauth.win/api/1.1/
|
104.26.0.5
|
||
http://185.101.104.122/aimhvcibronkzops.exeC:
|
unknown
|
There are 1 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
keyauth.win
|
104.26.0.5
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
104.26.0.5
|
keyauth.win
|
United States
|
||
127.0.0.1
|
unknown
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
ProgramId
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
FileId
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
LowerCaseLongPath
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
LongPathHash
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
Name
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
OriginalFileName
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
Publisher
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
Version
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
BinFileVersion
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
BinaryType
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
ProductName
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
ProductVersion
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
LinkDate
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
BinProductVersion
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
AppxPackageFullName
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
Size
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
Language
|
||
\REGISTRY\A\{9b061f9c-7de1-58ee-188c-2c3dcaa90d5e}\Root\InventoryApplicationFile\bc7vk74a5a.exe|bf1b0c246681c10
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
DA3677E000
|
stack
|
page read and write
|
||
2163A020000
|
heap
|
page read and write
|
||
287F17B0000
|
heap
|
page read and write
|
||
2E6661E0000
|
trusted library allocation
|
page read and write
|
||
26ABE9D8000
|
heap
|
page read and write
|
||
94D807F000
|
stack
|
page read and write
|
||
2E662A80000
|
heap
|
page read and write
|
||
E70DBFF000
|
stack
|
page read and write
|
||
287F1770000
|
heap
|
page read and write
|
||
2E662A7B000
|
heap
|
page read and write
|
||
273B2130000
|
heap
|
page read and write
|
||
FE0B8BD000
|
stack
|
page read and write
|
||
FE0BCFF000
|
stack
|
page read and write
|
||
7FF6139F8000
|
unkown
|
page write copy
|
||
2E66449B000
|
heap
|
page read and write
|
||
2E662A69000
|
heap
|
page read and write
|
||
2E662A90000
|
heap
|
page read and write
|
||
26ABE9D0000
|
heap
|
page read and write
|
||
E70DAFD000
|
stack
|
page read and write
|
||
E4B0BFF000
|
stack
|
page read and write
|
||
2E662AA3000
|
heap
|
page read and write
|
||
26ABEB25000
|
heap
|
page read and write
|
||
2E6643D0000
|
remote allocation
|
page read and write
|
||
2E6644A0000
|
heap
|
page read and write
|
||
284B3BC0000
|
heap
|
page read and write
|
||
7FF6139F8000
|
unkown
|
page read and write
|
||
287F17D8000
|
heap
|
page read and write
|
||
2E662A85000
|
heap
|
page read and write
|
||
7FF613981000
|
unkown
|
page execute read
|
||
284B3CC0000
|
heap
|
page read and write
|
||
284B3FC5000
|
heap
|
page read and write
|
||
287F17D0000
|
heap
|
page read and write
|
||
287F17A5000
|
heap
|
page read and write
|
||
2E662A6A000
|
heap
|
page read and write
|
||
284B3FC0000
|
heap
|
page read and write
|
||
273B2138000
|
heap
|
page read and write
|
||
E70DCFE000
|
stack
|
page read and write
|
||
D65DD7F000
|
stack
|
page read and write
|
||
2E6643B0000
|
heap
|
page read and write
|
||
2E662A29000
|
heap
|
page read and write
|
||
273B2100000
|
heap
|
page read and write
|
||
7FF613981000
|
unkown
|
page execute read
|
||
284B3CA0000
|
heap
|
page read and write
|
||
2E662A20000
|
heap
|
page read and write
|
||
26ABE9A0000
|
heap
|
page read and write
|
||
287F17A0000
|
heap
|
page read and write
|
||
2E0848A0000
|
heap
|
page read and write
|
||
2E6643D0000
|
remote allocation
|
page read and write
|
||
2E662A7A000
|
heap
|
page read and write
|
||
E70DDFF000
|
stack
|
page read and write
|
||
2E664495000
|
heap
|
page read and write
|
||
2E662A54000
|
heap
|
page read and write
|
||
A6FD27E000
|
stack
|
page read and write
|
||
2E084A85000
|
heap
|
page read and write
|
||
7FF6139E1000
|
unkown
|
page readonly
|
||
2E0847A0000
|
heap
|
page read and write
|
||
FE0B9BF000
|
stack
|
page read and write
|
||
E70DFFF000
|
stack
|
page read and write
|
||
21639D60000
|
heap
|
page read and write
|
||
284B3D00000
|
heap
|
page read and write
|
||
D65D90D000
|
stack
|
page read and write
|
||
2E662A7F000
|
heap
|
page read and write
|
||
21639F40000
|
heap
|
page read and write
|
||
2E0848C8000
|
heap
|
page read and write
|
||
E70D8FB000
|
stack
|
page read and write
|
||
D65DC7F000
|
stack
|
page read and write
|
||
21639E48000
|
heap
|
page read and write
|
||
DA3687F000
|
stack
|
page read and write
|
||
26ABE980000
|
heap
|
page read and write
|
||
2163A025000
|
heap
|
page read and write
|
||
26ABE8A0000
|
heap
|
page read and write
|
||
7FF6139F9000
|
unkown
|
page readonly
|
||
7FF6139E1000
|
unkown
|
page readonly
|
||
2E662AAB000
|
heap
|
page read and write
|
||
2E084880000
|
heap
|
page read and write
|
||
273B2000000
|
heap
|
page read and write
|
||
287F1780000
|
heap
|
page read and write
|
||
2E662A84000
|
heap
|
page read and write
|
||
284B3D08000
|
heap
|
page read and write
|
||
2E662A84000
|
heap
|
page read and write
|
||
2E662A2C000
|
heap
|
page read and write
|
||
2E0848C0000
|
heap
|
page read and write
|
||
DA3667C000
|
stack
|
page read and write
|
||
2E664490000
|
heap
|
page read and write
|
||
26ABEB20000
|
heap
|
page read and write
|
||
273B22E0000
|
heap
|
page read and write
|
||
2E662A00000
|
heap
|
page read and write
|
||
7FF6139F9000
|
unkown
|
page readonly
|
||
2E662A58000
|
heap
|
page read and write
|
||
21639E40000
|
heap
|
page read and write
|
||
E4B07AD000
|
stack
|
page read and write
|
||
94D817E000
|
stack
|
page read and write
|
||
E70D9FE000
|
stack
|
page read and write
|
||
2E662AAB000
|
heap
|
page read and write
|
||
2E662A8E000
|
heap
|
page read and write
|
||
2E662A84000
|
heap
|
page read and write
|
||
A6FD17E000
|
stack
|
page read and write
|
||
2E662A80000
|
heap
|
page read and write
|
||
E4B0AFF000
|
stack
|
page read and write
|
||
2E662AAB000
|
heap
|
page read and write
|
||
2E662BF0000
|
heap
|
page read and write
|
||
273B22E5000
|
heap
|
page read and write
|
||
7FF613980000
|
unkown
|
page readonly
|
||
2E084A80000
|
heap
|
page read and write
|
||
2E662A74000
|
heap
|
page read and write
|
||
E70DEFF000
|
stack
|
page read and write
|
||
94D7D7D000
|
stack
|
page read and write
|
||
2E6643D0000
|
remote allocation
|
page read and write
|
||
2E665D90000
|
heap
|
page read and write
|
||
21639F60000
|
heap
|
page read and write
|
||
7FF613980000
|
unkown
|
page readonly
|
||
2E664410000
|
heap
|
page read and write
|
||
273B20E0000
|
heap
|
page read and write
|
||
2E662A90000
|
heap
|
page read and write
|
||
A6FD07D000
|
stack
|
page read and write
|
||
2E665D93000
|
heap
|
page read and write
|
There are 106 hidden memdumps, click here to show them.