Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
Wz9s7ibPaf.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_0e031f6b-4428-4c4a-a405-dd5e9d062cde\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_80f436c6-af69-4120-a4c7-e7d0131884fb\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_bda0dbbb-a008-4244-948c-8a472dc44b70\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_c4420ece-c0f0-440a-9931-8596a838f6b7\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_d2d5cf9e-50f2-4b02-a216-447df7720eca\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_ee114863-becb-4248-ab63-0249124ae223\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_f7f4859b-76b0-4143-940d-0fbe0c9e4287\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f459711f485bbcf164c61a2ff3e667fb09e59c_0b1d89a7_bfcb485d-762c-41bb-8a95-9f95d805c8ea\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCAF7.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:49 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBE3.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC22.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD97.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:50 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE15.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE35.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0B4.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:50 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD122.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD143.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2C7.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:51 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD345.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD375.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD509.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:52 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD578.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD598.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6FD.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:52 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD79B.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7BB.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE12.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:54 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE80.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEA0.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0E1.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:55 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1AD.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1CD.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ping[1].htm
|
very short file (no magic)
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 25 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\Wz9s7ibPaf.exe
|
"C:\Users\user\Desktop\Wz9s7ibPaf.exe"
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 736
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 728
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 784
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 792
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 908
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1016
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1308
|
||
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\System32\cmd.exe" /c taskkill /im "Wz9s7ibPaf.exe" /f & erase "C:\Users\user\Desktop\Wz9s7ibPaf.exe" & exit
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\SysWOW64\taskkill.exe
|
taskkill /im "Wz9s7ibPaf.exe" /f
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1328
|
There are 2 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://185.172.128.90/cpa/ping.php?substr=one&s=two
|
185.172.128.90
|
||
http://upx.sf.net
|
unknown
|
||
http://185.172.128.90/cpa/ping.php?substr=one&s=twoo
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
185.172.128.90
|
unknown
|
Russian Federation
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
ProgramId
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
FileId
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
LowerCaseLongPath
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
LongPathHash
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Name
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
OriginalFileName
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Publisher
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Version
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
BinFileVersion
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
BinaryType
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
ProductName
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
ProductVersion
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
LinkDate
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
BinProductVersion
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
AppxPackageFullName
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Size
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Language
|
||
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Usn
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
ClockTimeSeconds
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
TickCount
|
There are 11 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
2730000
|
direct allocation
|
page execute and read and write
|
||
2760000
|
direct allocation
|
page read and write
|
||
400000
|
unkown
|
page execute and read and write
|
||
AE8000
|
unkown
|
page readonly
|
||
29E0000
|
heap
|
page read and write
|
||
C0D000
|
heap
|
page read and write
|
||
E8F000
|
stack
|
page read and write
|
||
31D3000
|
heap
|
page read and write
|
||
AE8000
|
unkown
|
page readonly
|
||
417000
|
unkown
|
page write copy
|
||
27E0000
|
heap
|
page read and write
|
||
B5E000
|
heap
|
page read and write
|
||
32F4000
|
heap
|
page read and write
|
||
34AF000
|
unkown
|
page read and write
|
||
316B000
|
stack
|
page read and write
|
||
CB5000
|
heap
|
page read and write
|
||
B00000
|
heap
|
page read and write
|
||
32DE000
|
stack
|
page read and write
|
||
32B0000
|
heap
|
page read and write
|
||
31BC000
|
heap
|
page read and write
|
||
F8F000
|
stack
|
page read and write
|
||
30FD000
|
stack
|
page read and write
|
||
35BC000
|
stack
|
page read and write
|
||
292D000
|
stack
|
page read and write
|
||
377F000
|
stack
|
page read and write
|
||
B6E000
|
heap
|
page execute and read and write
|
||
32E2000
|
heap
|
page read and write
|
||
C3D000
|
heap
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
C8E000
|
stack
|
page read and write
|
||
2780000
|
heap
|
page read and write
|
||
C38000
|
heap
|
page read and write
|
||
B4E000
|
stack
|
page read and write
|
||
CB0000
|
heap
|
page read and write
|
||
3160000
|
heap
|
page read and write
|
||
441000
|
unkown
|
page read and write
|
||
2F2E000
|
stack
|
page read and write
|
||
1F0000
|
heap
|
page read and write
|
||
3470000
|
heap
|
page read and write
|
||
31DD000
|
stack
|
page read and write
|
||
27DD000
|
stack
|
page read and write
|
||
3572000
|
heap
|
page read and write
|
||
29CD000
|
stack
|
page read and write
|
||
296D000
|
stack
|
page read and write
|
||
2E2E000
|
stack
|
page read and write
|
||
B50000
|
heap
|
page read and write
|
||
32D0000
|
heap
|
page read and write
|
||
198000
|
stack
|
page read and write
|
||
31D1000
|
heap
|
page read and write
|
||
31B0000
|
heap
|
page read and write
|
||
3570000
|
heap
|
page read and write
|
||
31D5000
|
heap
|
page read and write
|
||
306D000
|
stack
|
page read and write
|
||
B59000
|
heap
|
page read and write
|
||
B8A000
|
heap
|
page read and write
|
||
41C000
|
unkown
|
page write copy
|
||
AE6000
|
unkown
|
page read and write
|
||
36BC000
|
stack
|
page read and write
|
||
2DFD000
|
stack
|
page read and write
|
||
302E000
|
stack
|
page read and write
|
||
34EE000
|
stack
|
page read and write
|
||
400000
|
unkown
|
page readonly
|
||
9B000
|
stack
|
page read and write
|
||
42F000
|
unkown
|
page write copy
|
||
410000
|
unkown
|
page readonly
|
||
31AE000
|
unkown
|
page read and write
|
||
28EE000
|
stack
|
page read and write
|
There are 57 hidden memdumps, click here to show them.