Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Wz9s7ibPaf.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_0e031f6b-4428-4c4a-a405-dd5e9d062cde\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_80f436c6-af69-4120-a4c7-e7d0131884fb\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_bda0dbbb-a008-4244-948c-8a472dc44b70\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_c4420ece-c0f0-440a-9931-8596a838f6b7\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_d2d5cf9e-50f2-4b02-a216-447df7720eca\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_ee114863-becb-4248-ab63-0249124ae223\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f181a67ed63bcdd052bb3ff94add6735e2d249_0b1d89a7_f7f4859b-76b0-4143-940d-0fbe0c9e4287\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wz9s7ibPaf.exe_f459711f485bbcf164c61a2ff3e667fb09e59c_0b1d89a7_bfcb485d-762c-41bb-8a95-9f95d805c8ea\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCAF7.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:49 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBE3.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC22.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD97.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:50 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE15.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE35.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0B4.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:50 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD122.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD143.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2C7.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:51 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD345.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD375.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD509.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:52 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD578.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD598.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6FD.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:52 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD79B.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7BB.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE12.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:54 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE80.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEA0.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0E1.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 09:42:55 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1AD.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1CD.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ping[1].htm
|
very short file (no magic)
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 25 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\Wz9s7ibPaf.exe
|
"C:\Users\user\Desktop\Wz9s7ibPaf.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 736
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 728
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 784
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 792
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 908
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1016
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1308
|
||
|
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\System32\cmd.exe" /c taskkill /im "Wz9s7ibPaf.exe" /f & erase "C:\Users\user\Desktop\Wz9s7ibPaf.exe" & exit
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\taskkill.exe
|
taskkill /im "Wz9s7ibPaf.exe" /f
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1328
|
There are 2 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://185.172.128.90/cpa/ping.php?substr=one&s=two
|
185.172.128.90
|
|
|
|
http://upx.sf.net
|
unknown
|
||
|
http://185.172.128.90/cpa/ping.php?substr=one&s=twoo
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
185.172.128.90
|
unknown
|
Russian Federation
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
ProgramId
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
FileId
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
LongPathHash
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Name
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
OriginalFileName
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Publisher
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Version
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
BinFileVersion
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
BinaryType
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
ProductName
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
ProductVersion
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
LinkDate
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
BinProductVersion
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Size
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Language
|
||
|
\REGISTRY\A\{166a39ae-b2d9-9871-1c6c-68ce07a87179}\Root\InventoryApplicationFile\wz9s7ibpaf.exe|355564f35e82618
|
Usn
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
ClockTimeSeconds
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
|
TickCount
|
There are 11 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2730000
|
direct allocation
|
page execute and read and write
|
|
|
|
2760000
|
direct allocation
|
page read and write
|
|
|
|
400000
|
unkown
|
page execute and read and write
|
|
|
|
AE8000
|
unkown
|
page readonly
|
||
|
29E0000
|
heap
|
page read and write
|
||
|
C0D000
|
heap
|
page read and write
|
||
|
E8F000
|
stack
|
page read and write
|
||
|
31D3000
|
heap
|
page read and write
|
||
|
AE8000
|
unkown
|
page readonly
|
||
|
417000
|
unkown
|
page write copy
|
||
|
27E0000
|
heap
|
page read and write
|
||
|
B5E000
|
heap
|
page read and write
|
||
|
32F4000
|
heap
|
page read and write
|
||
|
34AF000
|
unkown
|
page read and write
|
||
|
316B000
|
stack
|
page read and write
|
||
|
CB5000
|
heap
|
page read and write
|
||
|
B00000
|
heap
|
page read and write
|
||
|
32DE000
|
stack
|
page read and write
|
||
|
32B0000
|
heap
|
page read and write
|
||
|
31BC000
|
heap
|
page read and write
|
||
|
F8F000
|
stack
|
page read and write
|
||
|
30FD000
|
stack
|
page read and write
|
||
|
35BC000
|
stack
|
page read and write
|
||
|
292D000
|
stack
|
page read and write
|
||
|
377F000
|
stack
|
page read and write
|
||
|
B6E000
|
heap
|
page execute and read and write
|
||
|
32E2000
|
heap
|
page read and write
|
||
|
C3D000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
C8E000
|
stack
|
page read and write
|
||
|
2780000
|
heap
|
page read and write
|
||
|
C38000
|
heap
|
page read and write
|
||
|
B4E000
|
stack
|
page read and write
|
||
|
CB0000
|
heap
|
page read and write
|
||
|
3160000
|
heap
|
page read and write
|
||
|
441000
|
unkown
|
page read and write
|
||
|
2F2E000
|
stack
|
page read and write
|
||
|
1F0000
|
heap
|
page read and write
|
||
|
3470000
|
heap
|
page read and write
|
||
|
31DD000
|
stack
|
page read and write
|
||
|
27DD000
|
stack
|
page read and write
|
||
|
3572000
|
heap
|
page read and write
|
||
|
29CD000
|
stack
|
page read and write
|
||
|
296D000
|
stack
|
page read and write
|
||
|
2E2E000
|
stack
|
page read and write
|
||
|
B50000
|
heap
|
page read and write
|
||
|
32D0000
|
heap
|
page read and write
|
||
|
198000
|
stack
|
page read and write
|
||
|
31D1000
|
heap
|
page read and write
|
||
|
31B0000
|
heap
|
page read and write
|
||
|
3570000
|
heap
|
page read and write
|
||
|
31D5000
|
heap
|
page read and write
|
||
|
306D000
|
stack
|
page read and write
|
||
|
B59000
|
heap
|
page read and write
|
||
|
B8A000
|
heap
|
page read and write
|
||
|
41C000
|
unkown
|
page write copy
|
||
|
AE6000
|
unkown
|
page read and write
|
||
|
36BC000
|
stack
|
page read and write
|
||
|
2DFD000
|
stack
|
page read and write
|
||
|
302E000
|
stack
|
page read and write
|
||
|
34EE000
|
stack
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
9B000
|
stack
|
page read and write
|
||
|
42F000
|
unkown
|
page write copy
|
||
|
410000
|
unkown
|
page readonly
|
||
|
31AE000
|
unkown
|
page read and write
|
||
|
28EE000
|
stack
|
page read and write
|
There are 57 hidden memdumps, click here to show them.