Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
7GXKafhbnD.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7GXKafhbnD.exe_17664c7d7e239f5f4c8c8e5e8a5c7dd6414cea4_0465960d_0aead8bd-3d69-471e-88d4-9d281264b63e\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7GXKafhbnD.exe_17664c7d7e239f5f4c8c8e5e8a5c7dd6414cea4_0465960d_2071ee8d-b7b5-4580-802a-4d51b6c53b0d\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7GXKafhbnD.exe_17664c7d7e239f5f4c8c8e5e8a5c7dd6414cea4_0465960d_31a3bfa8-276c-45f5-900e-ff34cdff71dc\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7GXKafhbnD.exe_17664c7d7e239f5f4c8c8e5e8a5c7dd6414cea4_0465960d_5c5ac96f-d7e2-4949-80e3-2909ce5346b1\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7GXKafhbnD.exe_17664c7d7e239f5f4c8c8e5e8a5c7dd6414cea4_0465960d_7f753e3f-3102-41ca-ade0-19e5c0e39648\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7GXKafhbnD.exe_17664c7d7e239f5f4c8c8e5e8a5c7dd6414cea4_0465960d_807cc0ca-2485-4f33-9f4a-dfce8bfb587c\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7GXKafhbnD.exe_17664c7d7e239f5f4c8c8e5e8a5c7dd6414cea4_0465960d_92628ab3-bdbe-4a55-ae04-f985aafaaeec\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7GXKafhbnD.exe_17664c7d7e239f5f4c8c8e5e8a5c7dd6414cea4_0465960d_c878b971-1e7f-4be1-90e3-8a1ccd8f2f2c\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7GXKafhbnD.exe_f059f8719164c84f855d378d9bb8bb5244bf721d_0465960d_2553eece-d477-4481-9dc0-ee4e029d95cd\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1064.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Mar 29 10:16:52 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER11DC.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER11FD.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1381.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Mar 29 10:16:52 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER13F0.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1400.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1585.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Mar 29 10:16:53 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1613.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1652.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER17D7.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Mar 29 10:16:53 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1835.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1856.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A57.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Mar 29 10:16:54 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AC6.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AE6.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CB9.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Mar 29 10:16:55 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D75.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D95.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER265D.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Mar 29 10:16:57 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER26EB.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER270B.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER29A9.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Mar 29 10:16:58 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B02.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B32.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA5.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Mar 29 10:16:51 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB0.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERED0.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ping[1].htm
|
very short file (no magic)
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 29 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\7GXKafhbnD.exe
|
"C:\Users\user\Desktop\7GXKafhbnD.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 740
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 732
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 744
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 776
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 996
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 1016
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 1084
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 1368
|
||
|
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\System32\cmd.exe" /c taskkill /im "7GXKafhbnD.exe" /f & erase "C:\Users\user\Desktop\7GXKafhbnD.exe" & exit
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\taskkill.exe
|
taskkill /im "7GXKafhbnD.exe" /f
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 1324
|
There are 3 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://185.172.128.90/cpa/ping.php?substr=one&s=two
|
185.172.128.90
|
|
|
|
http://upx.sf.net
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
185.172.128.90
|
unknown
|
Russian Federation
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
ProgramId
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
FileId
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
LongPathHash
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
Name
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
OriginalFileName
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
Publisher
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
Version
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
BinFileVersion
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
BinaryType
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
ProductName
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
ProductVersion
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
LinkDate
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
BinProductVersion
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
Size
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
Language
|
||
|
\REGISTRY\A\{1195bbf6-494b-7d10-2771-e454918228fd}\Root\InventoryApplicationFile\7gxkafhbnd.exe|66db53a6ceec10ea
|
Usn
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
ClockTimeSeconds
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
TickCount
|
There are 11 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
710000
|
direct allocation
|
page read and write
|
|
|
|
400000
|
unkown
|
page execute and read and write
|
|
|
|
6E0000
|
direct allocation
|
page execute and read and write
|
|
|
|
29DE000
|
stack
|
page read and write
|
||
|
2EB2000
|
heap
|
page read and write
|
||
|
27CF000
|
unkown
|
page read and write
|
||
|
235D000
|
stack
|
page read and write
|
||
|
22D0000
|
heap
|
page read and write
|
||
|
229D000
|
stack
|
page read and write
|
||
|
2EB6000
|
heap
|
page read and write
|
||
|
600000
|
heap
|
page read and write
|
||
|
32AC000
|
stack
|
page read and write
|
||
|
21D000
|
stack
|
page read and write
|
||
|
28DE000
|
stack
|
page read and write
|
||
|
53C000
|
unkown
|
page readonly
|
||
|
59E000
|
stack
|
page read and write
|
||
|
231D000
|
stack
|
page read and write
|
||
|
314C000
|
stack
|
page read and write
|
||
|
19A000
|
stack
|
page read and write
|
||
|
29CF000
|
stack
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
27F3000
|
heap
|
page read and write
|
||
|
2D9D000
|
stack
|
page read and write
|
||
|
2B1D000
|
stack
|
page read and write
|
||
|
225D000
|
stack
|
page read and write
|
||
|
550000
|
heap
|
page read and write
|
||
|
97F000
|
stack
|
page read and write
|
||
|
439000
|
unkown
|
page read and write
|
||
|
78E000
|
heap
|
page read and write
|
||
|
232E000
|
unkown
|
page read and write
|
||
|
27DC000
|
heap
|
page read and write
|
||
|
83B000
|
heap
|
page read and write
|
||
|
A7E000
|
stack
|
page read and write
|
||
|
2390000
|
heap
|
page read and write
|
||
|
2EA2000
|
heap
|
page read and write
|
||
|
9B000
|
stack
|
page read and write
|
||
|
31A0000
|
heap
|
page read and write
|
||
|
730000
|
heap
|
page read and write
|
||
|
605000
|
heap
|
page read and write
|
||
|
437000
|
unkown
|
page write copy
|
||
|
27D0000
|
heap
|
page read and write
|
||
|
27DE000
|
stack
|
page read and write
|
||
|
2E9E000
|
stack
|
page read and write
|
||
|
27F5000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
42F000
|
unkown
|
page readonly
|
||
|
2D5B000
|
stack
|
page read and write
|
||
|
7BB000
|
heap
|
page read and write
|
||
|
2C1E000
|
stack
|
page read and write
|
||
|
27F2000
|
heap
|
page read and write
|
||
|
5DE000
|
stack
|
page read and write
|
||
|
854000
|
heap
|
page read and write
|
||
|
411000
|
unkown
|
page readonly
|
||
|
22E0000
|
heap
|
page read and write
|
||
|
53C000
|
unkown
|
page readonly
|
||
|
760000
|
heap
|
page read and write
|
||
|
236E000
|
stack
|
page read and write
|
||
|
437000
|
unkown
|
page read and write
|
||
|
1F0000
|
heap
|
page read and write
|
||
|
780000
|
heap
|
page read and write
|
||
|
41A000
|
unkown
|
page readonly
|
||
|
2ADE000
|
stack
|
page read and write
|
||
|
23B0000
|
heap
|
page read and write
|
||
|
11D000
|
stack
|
page read and write
|
||
|
2ED1000
|
heap
|
page read and write
|
||
|
2370000
|
heap
|
page read and write
|
||
|
2ECF000
|
heap
|
page read and write
|
||
|
2B70000
|
heap
|
page read and write
|
||
|
438000
|
unkown
|
page write copy
|
||
|
867000
|
heap
|
page read and write
|
||
|
2B72000
|
heap
|
page read and write
|
||
|
79F000
|
heap
|
page execute and read and write
|
||
|
86F000
|
heap
|
page read and write
|
||
|
789000
|
heap
|
page read and write
|
||
|
2C5D000
|
stack
|
page read and write
|
There are 65 hidden memdumps, click here to show them.