Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
flX5YA1C09.exe
|
PE32+ executable (console) x86-64, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_flX5YA1C09.exe_6193f6e47d768fb07ef4e778aeb03f9f2b24ff_41b9c7aa_8ba48ea0-4bd8-4fb0-9fd2-b26a74e926a9\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCCC0.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sun Oct 20 19:21:16 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDEA.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE1A.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
||
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\flX5YA1C09.exe
|
"C:\Users\user\Desktop\flX5YA1C09.exe"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 1468 -s 1012
|
There are 26 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://185.101.104.122/esphvciforabronkz.exe
|
unknown
|
||
https://keyauth.win/api/1.1/ITECT
|
unknown
|
||
http://185.101.104.122/esphvcionbronkz.exe
|
unknown
|
||
https://keyauth.win/api/1.1/64
|
unknown
|
||
http://185.101.104.122/esphvcionbronkz.exeC:
|
unknown
|
||
http://upx.sf.net
|
unknown
|
||
https://keyauth.win/api/1.2/gramW
|
unknown
|
||
http://185.101.104.122/esphvciforabronkz.exeC:
|
unknown
|
||
https://keyauth.win/api/1.2/p
|
unknown
|
||
https://curl.haxx.se/docs/http-cookies.html
|
unknown
|
||
https://curl.haxx.se/docs/http-cookies.html#
|
unknown
|
||
https://keyauth.win/api/1.2/
|
unknown
|
||
https://keyauth.win/api/1.1/
|
172.67.72.57
|
There are 3 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
bg.microsoft.map.fastly.net
|
199.232.214.172
|
||
keyauth.win
|
172.67.72.57
|
||
fp2e7a.wpc.phicdn.net
|
192.229.221.95
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
172.67.72.57
|
keyauth.win
|
United States
|
||
127.0.0.1
|
unknown
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
ProgramId
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
FileId
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
LowerCaseLongPath
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
LongPathHash
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
Name
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
OriginalFileName
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
Publisher
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
Version
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
BinFileVersion
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
BinaryType
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
ProductName
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
ProductVersion
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
LinkDate
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
BinProductVersion
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
AppxPackageFullName
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
Size
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
Language
|
||
\REGISTRY\A\{fea5fc09-38dc-26bd-8b8f-26fd53122052}\Root\InventoryApplicationFile\flx5ya1c09.exe|5eda3830b3e9972b
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
1789E455000
|
heap
|
page read and write
|
||
203BDF20000
|
heap
|
page read and write
|
||
16082AA3000
|
heap
|
page read and write
|
||
7FF791531000
|
unkown
|
page execute read
|
||
16086200000
|
trusted library allocation
|
page read and write
|
||
7FF7915A8000
|
unkown
|
page read and write
|
||
23353CB0000
|
heap
|
page read and write
|
||
725B37E000
|
stack
|
page read and write
|
||
2210E9B5000
|
heap
|
page read and write
|
||
2FDCF7F000
|
stack
|
page read and write
|
||
166BCDE8000
|
heap
|
page read and write
|
||
16082A78000
|
heap
|
page read and write
|
||
16082A8E000
|
heap
|
page read and write
|
||
1C695A49000
|
heap
|
page read and write
|
||
16082AAB000
|
heap
|
page read and write
|
||
160843E0000
|
remote allocation
|
page read and write
|
||
23353BB0000
|
heap
|
page read and write
|
||
1C695A46000
|
heap
|
page read and write
|
||
2210E697000
|
heap
|
page read and write
|
||
160844FB000
|
heap
|
page read and write
|
||
4FFDEFE000
|
stack
|
page read and write
|
||
16082A74000
|
heap
|
page read and write
|
||
16082A59000
|
heap
|
page read and write
|
||
16084420000
|
heap
|
page read and write
|
||
166BD020000
|
heap
|
page read and write
|
||
4FFDCFB000
|
stack
|
page read and write
|
||
2210E5D0000
|
heap
|
page read and write
|
||
203BDB88000
|
heap
|
page read and write
|
||
2210E5C0000
|
heap
|
page read and write
|
||
1789E1E0000
|
heap
|
page read and write
|
||
2210E690000
|
heap
|
page read and write
|
||
F9B297F000
|
stack
|
page read and write
|
||
16085DB3000
|
heap
|
page read and write
|
||
16082BF0000
|
heap
|
page read and write
|
||
160843E0000
|
remote allocation
|
page read and write
|
||
16082A84000
|
heap
|
page read and write
|
||
1789E200000
|
heap
|
page read and write
|
||
7FF791530000
|
unkown
|
page readonly
|
||
FB6507C000
|
stack
|
page read and write
|
||
203BDB30000
|
heap
|
page read and write
|
||
16082A54000
|
heap
|
page read and write
|
||
160844F5000
|
heap
|
page read and write
|
||
16082A80000
|
heap
|
page read and write
|
||
FB6517E000
|
stack
|
page read and write
|
||
16082A80000
|
heap
|
page read and write
|
||
1789E3D0000
|
heap
|
page read and write
|
||
725AF2D000
|
stack
|
page read and write
|
||
2A0A57E000
|
stack
|
page read and write
|
||
203BDF25000
|
heap
|
page read and write
|
||
160844F0000
|
heap
|
page read and write
|
||
166BCCF0000
|
heap
|
page read and write
|
||
F9B2A7E000
|
stack
|
page read and write
|
||
2210E5F0000
|
heap
|
page read and write
|
||
23353F70000
|
heap
|
page read and write
|
||
FB6527E000
|
stack
|
page read and write
|
||
7FF791591000
|
unkown
|
page readonly
|
||
F9B29FE000
|
unkown
|
page readonly
|
||
5AE20FE000
|
stack
|
page read and write
|
||
1C695A40000
|
heap
|
page read and write
|
||
7FF7915A8000
|
unkown
|
page write copy
|
||
160843C0000
|
heap
|
page read and write
|
||
2A0A15D000
|
stack
|
page read and write
|
||
16082A20000
|
heap
|
page read and write
|
||
16082A10000
|
heap
|
page read and write
|
||
2FDCB1D000
|
stack
|
page read and write
|
||
16085DB0000
|
heap
|
page read and write
|
||
23353D30000
|
heap
|
page read and write
|
||
7FF791530000
|
unkown
|
page readonly
|
||
725B3FE000
|
unkown
|
page readonly
|
||
1C695970000
|
heap
|
page read and write
|
||
16082A87000
|
heap
|
page read and write
|
||
16082AAA000
|
heap
|
page read and write
|
||
16082A6A000
|
heap
|
page read and write
|
||
16082A80000
|
heap
|
page read and write
|
||
16082A6A000
|
heap
|
page read and write
|
||
1789E209000
|
heap
|
page read and write
|
||
4FFDDFE000
|
stack
|
page read and write
|
||
203BDB80000
|
heap
|
page read and write
|
||
166BCC10000
|
heap
|
page read and write
|
||
2A0A47F000
|
stack
|
page read and write
|
||
16082A84000
|
heap
|
page read and write
|
||
1C6959E5000
|
heap
|
page read and write
|
||
1C6959E0000
|
heap
|
page read and write
|
||
5AE1CED000
|
stack
|
page read and write
|
||
F9B287D000
|
stack
|
page read and write
|
||
4FFDFFE000
|
stack
|
page read and write
|
||
16082A84000
|
heap
|
page read and write
|
||
7FF7915A9000
|
unkown
|
page readonly
|
||
166BD025000
|
heap
|
page read and write
|
||
166BCDE0000
|
heap
|
page read and write
|
||
16084500000
|
heap
|
page read and write
|
||
16082AAA000
|
heap
|
page read and write
|
||
5AE207E000
|
unkown
|
page readonly
|
||
16082A7B000
|
heap
|
page read and write
|
||
1789E1D0000
|
heap
|
page read and write
|
||
23353D38000
|
heap
|
page read and write
|
||
203BDB00000
|
heap
|
page read and write
|
||
7FF791531000
|
unkown
|
page execute read
|
||
2FDCE7F000
|
stack
|
page read and write
|
||
2210E9B0000
|
heap
|
page read and write
|
||
7FF791591000
|
unkown
|
page readonly
|
||
5AE1DEF000
|
stack
|
page read and write
|
||
1789E450000
|
heap
|
page read and write
|
||
16082A2C000
|
heap
|
page read and write
|
||
1C695990000
|
heap
|
page read and write
|
||
166BCD10000
|
heap
|
page read and write
|
||
4FFE0FF000
|
stack
|
page read and write
|
||
1C695890000
|
heap
|
page read and write
|
||
160843E0000
|
remote allocation
|
page read and write
|
||
7FF7915A9000
|
unkown
|
page readonly
|
||
725B27E000
|
stack
|
page read and write
|
||
23353C90000
|
heap
|
page read and write
|
||
4FFE1FE000
|
stack
|
page read and write
|
||
203BDB10000
|
heap
|
page read and write
|
||
23353F75000
|
heap
|
page read and write
|
There are 105 hidden memdumps, click here to show them.