IOC Report
rPaymentAdvice-PDF.exe

loading gif

Files

File Path
Type
Category
Malicious
rPaymentAdvice-PDF.exe
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rPaymentAdvice-P_7067ea40173c6bca932f69650b72adac4cc52d8_897d0994_fa2abc5b-2323-451c-b16b-90c9e3ef8be0\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER183.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C2.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFAD.tmp.dmp
Mini DuMP crash report, 16 streams, Tue Jun 11 17:47:10 2024, 0x1205a4 type
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\rPaymentAdvice-PDF.exe
"C:\Users\user\Desktop\rPaymentAdvice-PDF.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
malicious
C:\Windows\System32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3620 -s 1152

URLs

Name
IP
Malicious
http://r3.o.lencr.org0
unknown
http://upx.sf.net
unknown
https://account.dyn.com/
unknown
http://mail.motek.ro
unknown
http://motek.ro
unknown
http://x1.c.lencr.org/0
unknown
http://x1.i.lencr.org/0
unknown
http://r3.i.lencr.org/0
unknown

Domains

Name
IP
Malicious
motek.ro
212.146.84.76
malicious
mail.motek.ro
unknown
malicious
bg.microsoft.map.fastly.net
199.232.210.172
fp2e7a.wpc.phicdn.net
192.229.221.95

IPs

IP
Domain
Country
Malicious
212.146.84.76
motek.ro
Romania
malicious

Registry

Path
Value
Malicious
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
ProgramId
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
FileId
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
LowerCaseLongPath
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
LongPathHash
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
Name
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
OriginalFileName
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
Publisher
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
Version
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
BinFileVersion
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
BinaryType
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
ProductName
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
ProductVersion
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
LinkDate
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
BinProductVersion
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
AppxPackageFullName
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
AppxPackageRelativeId
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
Size
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
Language
\REGISTRY\A\{d14f91d3-7955-cc26-4494-dcc74e61390d}\Root\InventoryApplicationFile\rpaymentadvice-p|2bfeb6be1cdfc83d
Usn
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018000DDABBE6B3
There are 13 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
24E00385000
trusted library allocation
page read and write
malicious
2BE1000
trusted library allocation
page read and write
malicious
2C59000
trusted library allocation
page read and write
malicious
402000
remote allocation
page execute and read and write
malicious
24E10C79000
trusted library allocation
page read and write
malicious
24E1028F000
trusted library allocation
page read and write
malicious
623E000
stack
page read and write
B947EFD000
stack
page read and write
615E000
stack
page read and write
24E6C520000
trusted library allocation
page read and write
24E6C2A0000
heap
page read and write
24E6C570000
heap
page read and write
7FFD34560000
trusted library allocation
page read and write
51B3000
heap
page read and write
50D2000
trusted library allocation
page read and write
FFD000
trusted library allocation
page execute and read and write
7FFD34562000
trusted library allocation
page read and write
E78000
heap
page read and write
2C47000
trusted library allocation
page read and write
E5F000
heap
page read and write
24E6E7A0000
heap
page read and write
573C000
trusted library allocation
page read and write
24E6C310000
heap
page read and write
2A4E000
stack
page read and write
24E6C382000
heap
page read and write
7FFD34580000
trusted library allocation
page read and write
B9481FF000
stack
page read and write
6247000
trusted library allocation
page read and write
516C000
stack
page read and write
24E10008000
trusted library allocation
page read and write
5260000
heap
page execute and read and write
FE0000
trusted library allocation
page read and write
5760000
trusted library allocation
page execute and read and write
E76000
heap
page read and write
5E1E000
stack
page read and write
B9483FD000
stack
page read and write
24E6C33A000
heap
page read and write
523E000
stack
page read and write
50C4000
trusted library allocation
page read and write
29DA000
trusted library allocation
page execute and read and write
5750000
trusted library allocation
page read and write
29CD000
trusted library allocation
page execute and read and write
29C0000
trusted library allocation
page read and write
2A90000
trusted library allocation
page execute and read and write