IOC Report
SY5DeZW6pz.exe

loading gif

Files

File Path
Type
Category
Malicious
SY5DeZW6pz.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe
MS-DOS executable
dropped
malicious
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SY5DeZW6pz.exe_5a1e64436764aeb06a12223e505a1adc0f838d9_cfc0479b_04a1246b\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\vSQshX.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vSQshX.exe_e41397ed243f95936a1fabef5fb2c6d1bf7554_3e01cb5b_16a9314c\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER182.tmp.dmp
Mini DuMP crash report, 14 streams, Wed Aug 31 21:41:32 2022, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EED.tmp.dmp
Mini DuMP crash report, 15 streams, Wed Aug 31 21:41:40 2022, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER26BE.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2855.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F2.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E7.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\k1[1].rar
ASCII text
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\k2[1].rar
ASCII text
dropped
C:\Users\user\AppData\Local\Temp\584026FF.exe
ASCII text
modified
C:\Users\user\AppData\Local\Temp\7830502D.exe
ASCII text
dropped
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a
data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 8 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\SY5DeZW6pz.exe
"C:\Users\user\Desktop\SY5DeZW6pz.exe"
malicious
C:\Users\user\AppData\Local\Temp\vSQshX.exe
C:\Users\user\AppData\Local\Temp\vSQshX.exe
malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 1432

URLs

Name
IP
Malicious
http://ddos.dnsnb8.net:799/cj//k3.rar%
unknown
malicious
http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
unknown
malicious
http://ddos.dnsnb8.net:799/cj//k3.rar
unknown
malicious
http://ddos.dnsnb8.net:799/cj//k2.rar%
unknown
malicious
http://ddos.dnsnb8.net:799/cj//k2.rar
63.251.106.25
malicious
http://ddos.dnsnb8.net/&
unknown
malicious
http://ddos.dnsnb8.net:799/cj//k1.rar
63.251.106.25
malicious
http://www.activestate.com
unknown
http://www.develop.comYann
unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
unknown
http://www.baanboard.comPraveen
unknown
http://upx.sf.net
unknown
http://www.rftp.com
unknown
https://www.torproject.org/
unknown
http://www.scintilla.org
unknown
http://www.activestate.comJames
unknown
http://www.develop.com
unknown
http://www.lua.org
unknown
http://www.spaceblue.comDenis
unknown
http://www.spaceblue.com
unknown
http://www.rftp.comSteve
unknown
http://www.baanboard.com
unknown
http://www.scintila.org/scite.rng
unknown
http://www.autoitscript.com/autoit3/scite
unknown
https://tox.chat/download.html
unknown
There are 15 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
ddos.dnsnb8.net
63.251.106.25
malicious

IPs

IP
Domain
Country
Malicious
63.251.106.25
ddos.dnsnb8.net
United States
malicious
192.168.2.1
unknown
unknown

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHivePermissionsCorrect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHiveOwnerCorrect
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
ProgramId
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
FileId
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
LowerCaseLongPath
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
LongPathHash
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
Name
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
Publisher
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
Version
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
BinFileVersion
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
BinaryType
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
ProductName
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
ProductVersion
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
LinkDate
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
BinProductVersion
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
Size
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
Language
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
IsPeFile
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\sy5dezw6pz.exe|c5f0e3c3
IsOsComponent
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
00184006417502B9
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\vsqshx.exe|7df02bf0
ProgramId
\REGISTRY\A\{8778895a-662c-2c43-e801-8c46cd5867ed}\Root\InventoryApplicationFile\vsqshx.exe|7df02bf0
FileId