IOC Report
is65NMeWkV.exe

loading gif

Files

File Path
Type
Category
Malicious
is65NMeWkV.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_is65NMeWkV.exe_e78efff241704b9fd5957bfe9487f9d517df_310101f6_2347bed7-3964-4883-856a-43aa24a4bfda\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0C6.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Oct 24 13:57:02 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1D1.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1F1.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\is65NMeWkV.exe
"C:\Users\user\Desktop\is65NMeWkV.exe"
malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1220

URLs

Name
IP
Malicious
http://109.107.157.208/49aaa1bd4c594849.php
109.107.157.208
malicious
http://109.107.157.208/
109.107.157.208
malicious
http://109.107.157.208
unknown
malicious
http://109.107.157.208/49aaa1bd4c594849.php/
unknown
http://upx.sf.net
unknown
http://109.107.157.208/49aaa1bd4c594849.php(K
unknown
http://109.107.157.208/ws
unknown
http://109.107.157.208/49aaa1bd4c594849.phplK
unknown

IPs

IP
Domain
Country
Malicious
109.107.157.208
unknown
unknown
malicious

Registry

Path
Value
Malicious
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
ProgramId
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
FileId
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
LowerCaseLongPath
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
LongPathHash
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
Name
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
OriginalFileName
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
Publisher
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
Version
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
BinFileVersion
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
BinaryType
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
ProductName
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
ProductVersion
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
LinkDate
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
BinProductVersion
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
AppxPackageFullName
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
AppxPackageRelativeId
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
Size
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
Language
\REGISTRY\A\{fb608377-006b-5fe6-39eb-c14db2ece245}\Root\InventoryApplicationFile\is65nmewkv.exe|b3791a19160f17e6
Usn
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
There are 11 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
unkown
page execute and read and write
malicious
2350000
direct allocation
page read and write
malicious
86E000
heap
page read and write
malicious
2300000
direct allocation
page execute and read and write
malicious
401000
unkown
page execute read
86A000
heap
page read and write
9C000
stack
page read and write
23BE000
stack
page read and write
65C000
unkown
page execute and read and write
2360000
heap
page read and write
268E000
stack
page read and write
24FF000
stack
page read and write
19E000
stack
page read and write
1AA4E000
stack
page read and write
65F000
unkown
page readonly
449000
unkown
page write copy
860000
heap
page read and write
79E000
stack
page read and write
2540000
heap
page read and write
264F000
stack
page read and write
23F0000
heap
page read and write
41C000
unkown
page execute read
8BC000
heap
page read and write
1A7CF000
stack
page read and write
7F0000
direct allocation
page execute and read and write
1A90E000
stack
page read and write
A5F000
stack
page read and write
2543000
heap
page read and write
8D1000
heap
page read and write
194000
stack
page read and write
1A8CF000
stack
page read and write
45B000
unkown
page readonly
1E5000
heap
page read and write
B5F000
stack
page read and write
1AB4D000
stack
page read and write
750000
heap
page read and write
26CE000
stack
page read and write
1AA0E000
stack
page read and write
4BD000
unkown
page execute and read and write
26F0000
heap
page read and write
64A000
unkown
page execute and read and write
400000
unkown
page readonly
8B2000
heap
page read and write
1E0000
heap
page read and write
4B1000
unkown
page execute and read and write
670000
heap
page read and write
7DE000
stack
page read and write
253E000
stack
page read and write
4E2000
unkown
page execute and read and write
There are 39 hidden memdumps, click here to show them.