Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\Users\user\AppData\Local\Temp\W9yZG_t61Z_J7GfmBn540XA.zip

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_10335d55-7344-4798-868a-642b323fdb2a\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_15d3ae8c-14d8-47b4-889c-158b8969f6cd\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_407a37f6-a980-4391-8494-bf9bcb7a1c8d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_681b8baa-75ab-45c4-b7b0-ae76b7b2d453\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_688cbf8b-67c3-4b5a-8f65-1c3ad19de2a6\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_83ca9a92-fbbd-4d11-a1a6-fbba96d67552\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_84b6f306-bf5a-493e-9e98-3770969605f7\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_85a5fc3c-0a1c-48df-b75b-a51156fea0d7\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_9042f83a-504d-4950-abc0-e4e4679bb0f8\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_b4ee208a-c92f-4f51-be05-eaa535ab5445\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_b621ded2-faf3-4fb3-a976-16024740780d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_f6dc93c5-cb1c-438e-a34b-3e15d7234d4b\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_302080a6-229b-410a-bd76-88077ad387bc\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_73a5c60f-cccd-4bb6-87ec-0e77435d9d45\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_bfe9909b-817e-4821-a15d-d84abb4d0703\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_d1f1775b-34ae-4862-b958-5a7fbc722829\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_ed24c999-a2a5-41aa-9fbc-f46e42155e4d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_f1cbd908-8b84-401d-9fbd-c08ff655e859\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER152.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:10 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER22D.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER25D.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AD.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:11 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A8.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F7.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F9.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:12 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B5.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D5.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6A.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:13 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB84.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA4.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC98.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:53 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD74.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD94.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC206.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:54 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC275.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC295.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC477.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:55 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4E6.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC506.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6C9.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:55 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC786.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7A6.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC92B.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:56 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9B8.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9D8.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD03.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:57 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDBF.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDE0.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB2C.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:00 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBD9.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBF9.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE49.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:01 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF73.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF93.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE406.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:03 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE52F.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE55F.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE732.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:04 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7EF.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE80F.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC04.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:05 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERECD1.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED5E.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF490.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:07 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6B4.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6D4.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAD9.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:09 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB96.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBB6.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD98.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:09 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEF1.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF11.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\02zdBXl47cvzcookies.sqlite

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\2tsRP66QVQTmWeb Data

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\3b6N2Xdh3CYwplaces.sqlite

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\6xWctsbrfVe0Web Data

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\73zD30s3rSfmHistory

SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\Cma6mvK3hWvIHistory

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\D87fZN3R3jFeplaces.sqlite

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\HhIb92Xvz5nICookies

SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\KsnNQ7qbgZr8Login Data

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\Le1h_k1bUmDcLogin Data

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\X4oeewryncyYWeb Data

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\ZP9OgwnUTBtwHistory

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\c7L3m01NgL1nHistory

SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\kpoRIew0KmbRWeb Data

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\v9sfzApO2m4MWeb Data

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\vbwxzHO_00KHLogin Data For Account

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\xq4j8bDozcmeWeb Data

SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\trixyBKaHSrnNvXxX\Cookies\Chrome_Default.txt

ASCII text, with very long lines (769), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\trixyBKaHSrnNvXxX\information.txt

ASCII text, with CRLF, LF line terminators

dropped

C:\Users\user\AppData\Local\Temp\trixyBKaHSrnNvXxX\passwords.txt

Unicode text, UTF-8 text, with CRLF, LF line terminators

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 85 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1892

There are 9 hidden processes, click here to show them.

URLs

Name

Malicious

http://193.233.132.167/cost/lenin.exe

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF

unknown

http://.102:57amadka.

unknown

https://duckduckgo.com/ac/?q=

unknown

http://www.winimage.com/zLibD

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://147.45.47.102:57893/hera/amadka.exe-

unknown

https://db-ip.com/demo/home.php?s=81.181.57.524

unknown

http://147.45.47.102:57893/hera/amadka.exe

unknown

https://db-ip.com/

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://upx.sf.net

unknown

https://t.me/RiseProSUPPORT

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17

unknown

https://www.ecosia.org/newtab/

unknown

https://db-ip.com:443/demo/home.php?s=81.181.57.52?9d1

unknown

https://ipinfo.io/Mozilla/5.0

unknown

https://ipinfo.io/widget/demo/81.181.57.52

34.117.186.192

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://ipinfo.io/B

unknown

https://ipinfo.io/Content-Type:

unknown

http://193.233.132.167/cost/go.exe.1

unknown

https://ipinfo.io:443/widget/demo/81.181.57.520%

unknown

http://193.233.132.167/cost/go.exe

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://t.me/risepro_bot

unknown

https://ipinfo.io/

unknown

https://db-ip.com/demo/home.php?s=81.181.57.52

172.67.75.166

https://www.maxmind.com/en/locate-my-ip-address

unknown

https://ipinfo.io/1D

unknown

https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://www.winimage.com/zLibDll

unknown

https://db-ip.com/demo/home.php?s=81.181.57.52q.

unknown

https://support.mozilla.org

unknown

https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

There are 30 hidden URLs, click here to show them.

Domains

Name

Malicious

ipinfo.io

34.117.186.192

Details

Name:	ipinfo.io
IP:	34.117.186.192
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

db-ip.com

172.67.75.166

Details

Name:	db-ip.com
IP:	172.67.75.166
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

147.45.47.93

unknown

Russian Federation

Details

IP:	147.45.47.93
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

34.117.186.192

ipinfo.io

United States

Details

IP:	34.117.186.192
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	139070
ASN name:	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Private:	false
Domain:	ipinfo.io

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.75.166

db-ip.com

United States

Details

IP:	172.67.75.166
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	db-ip.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking