Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
xQXHoWMKoa.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_0bdc8d69-8e2d-4916-98f4-e240f78a9879\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_6e2e51db-5a06-4548-9b3d-af2c418b903c\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_74f6d4fe-d78d-47bf-aecf-6d5b1c3ba39f\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_7dcbb10b-df83-4e6f-9b63-5201c606b345\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_90fd96f2-59eb-4ce6-9d1e-de15edba0462\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_e011f5d0-3b05-4084-9882-970e4d430110\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_fec04291-1d36-471c-9fcc-58b35baad30b\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0EE.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Apr 19 17:24:52 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1E9.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD267.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5B1.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Apr 19 17:24:53 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD60F.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD630.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD822.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Apr 19 17:24:54 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8AF.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8DF.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAF0.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Apr 19 17:24:55 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB5F.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB8F.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE1D.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Apr 19 17:24:55 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDED9.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF09.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE10B.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Apr 19 17:24:56 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1A8.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1D8.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB0D.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Apr 19 17:24:59 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB9B.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBBB.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ping[1].htm
|
very short file (no magic)
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 21 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\xQXHoWMKoa.exe
|
"C:\Users\user\Desktop\xQXHoWMKoa.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 732
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 752
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 768
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 780
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 920
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1020
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1364
|
||
|
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\System32\cmd.exe" /c taskkill /im "xQXHoWMKoa.exe" /f & erase "C:\Users\user\Desktop\xQXHoWMKoa.exe" & exit
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\taskkill.exe
|
taskkill /im "xQXHoWMKoa.exe" /f
|
There are 1 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://185.172.128.90/cpa/ping.php?substr=one&s=two
|
185.172.128.90
|
|
|
|
http://upx.sf.net
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
bg.microsoft.map.fastly.net
|
199.232.214.172
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
185.172.128.90
|
unknown
|
Russian Federation
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
ProgramId
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
FileId
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
LongPathHash
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
Name
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
OriginalFileName
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
Publisher
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
Version
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
BinFileVersion
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
BinaryType
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
ProductName
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
ProductVersion
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
LinkDate
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
BinProductVersion
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
Size
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
Language
|
||
|
\REGISTRY\A\{ca7bb6b3-4bb0-d161-4a4c-663be7d8ac15}\Root\InventoryApplicationFile\xqxhowmkoa.exe|fdb94d2b70b2c1e7
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
3640000
|
direct allocation
|
page execute and read and write
|
|
|
|
400000
|
unkown
|
page execute and read and write
|
|
|
|
3670000
|
direct allocation
|
page read and write
|
|
|
|
36FD000
|
stack
|
page read and write
|
||
|
1C6A000
|
heap
|
page read and write
|
||
|
42F000
|
unkown
|
page write copy
|
||
|
1C60000
|
heap
|
page read and write
|
||
|
1C9A000
|
heap
|
page read and write
|
||
|
3750000
|
heap
|
page read and write
|
||
|
1A11000
|
unkown
|
page readonly
|
||
|
1F0000
|
heap
|
page read and write
|
||
|
2CA2000
|
heap
|
page read and write
|
||
|
4430000
|
heap
|
page read and write
|
||
|
2B7D000
|
stack
|
page read and write
|
||
|
442C000
|
stack
|
page read and write
|
||
|
2C80000
|
heap
|
page read and write
|
||
|
1A11000
|
unkown
|
page readonly
|
||
|
1B00000
|
heap
|
page read and write
|
||
|
1D37000
|
heap
|
page read and write
|
||
|
1AF5000
|
heap
|
page read and write
|
||
|
36A0000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
41B000
|
unkown
|
page readonly
|
||
|
420B000
|
heap
|
page read and write
|
||
|
2F4F000
|
unkown
|
page read and write
|
||
|
41FE000
|
stack
|
page read and write
|
||
|
4219000
|
heap
|
page read and write
|
||
|
353E000
|
stack
|
page read and write
|
||
|
2C3E000
|
unkown
|
page read and write
|
||
|
373D000
|
stack
|
page read and write
|
||
|
1AF0000
|
heap
|
page read and write
|
||
|
9B000
|
stack
|
page read and write
|
||
|
1A10000
|
unkown
|
page read and write
|
||
|
1C4F000
|
stack
|
page read and write
|
||
|
3780000
|
heap
|
page read and write
|
||
|
2BE0000
|
heap
|
page read and write
|
||
|
2CA3000
|
heap
|
page read and write
|
||
|
3D0D000
|
stack
|
page read and write
|
||
|
3CCE000
|
stack
|
page read and write
|
||
|
4214000
|
heap
|
page read and write
|
||
|
2CA5000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
363F000
|
stack
|
page read and write
|
||
|
2FF0000
|
heap
|
page read and write
|
||
|
3F9D000
|
stack
|
page read and write
|
||
|
19A000
|
stack
|
page read and write
|
||
|
2C40000
|
heap
|
page read and write
|
||
|
30FF000
|
stack
|
page read and write
|
||
|
3F5E000
|
stack
|
page read and write
|
||
|
1D48000
|
heap
|
page read and write
|
||
|
40FD000
|
stack
|
page read and write
|
||
|
448000
|
unkown
|
page read and write
|
||
|
409B000
|
stack
|
page read and write
|
||
|
1C7E000
|
heap
|
page execute and read and write
|
||
|
3100000
|
heap
|
page read and write
|
||
|
2F8E000
|
stack
|
page read and write
|
||
|
4202000
|
heap
|
page read and write
|
||
|
426000
|
unkown
|
page write copy
|
||
|
1C6E000
|
heap
|
page read and write
|
||
|
2A7D000
|
stack
|
page read and write
|
||
|
2BF0000
|
heap
|
page read and write
|
||
|
1D1D000
|
heap
|
page read and write
|
||
|
3E5D000
|
stack
|
page read and write
|
||
|
1B4E000
|
stack
|
page read and write
|
||
|
2C8C000
|
heap
|
page read and write
|
||
|
3BCE000
|
stack
|
page read and write
|
||
|
42C000
|
unkown
|
page write copy
|
||
|
3E0E000
|
stack
|
page read and write
|
||
|
2FF2000
|
heap
|
page read and write
|
||
|
45DC000
|
stack
|
page read and write
|
There are 60 hidden memdumps, click here to show them.