Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
w7kdnBzGat.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w7kdnBzGat.exe_3c8c512cf549e9ce237cc88c2aab5759f36d91_ed2726f5_58e1a148-72c3-4395-902b-3ee4fba2d5b4\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD38.tmp.dmp
|
Mini DuMP crash report, 14 streams, Mon May 27 12:53:07 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD87.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDD6.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\w7kdnBzGat.exe
|
"C:\Users\user\Desktop\w7kdnBzGat.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
|
||
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del
"C:\ProgramData\*.dll"" & exit
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\SysWOW64\timeout.exe
|
timeout /t 5
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 268
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://23.88.106.134/84bad7132df89fd7/sqlite3.dll
|
23.88.106.134
|
||
http://23.88.106.134/c73eed764cc59dcb.php
|
23.88.106.134
|
||
http://23.88.106.134
|
unknown
|
||
http://upx.sf.net
|
unknown
|
||
http://23.88.106.134/c73eed764cc59dcb.php.0//EN
|
unknown
|
||
http://23.88.106.134/c73eed764cc59dcb.phpxKr
|
unknown
|
||
http://23.88.106.134/c73eed764cc59dcb.phpininit.exe
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
23.88.106.134
|
unknown
|
United States
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
ProgramId
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
FileId
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
LowerCaseLongPath
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
LongPathHash
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
Name
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
OriginalFileName
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
Publisher
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
Version
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
BinFileVersion
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
BinaryType
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
ProductName
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
ProductVersion
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
LinkDate
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
BinProductVersion
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
AppxPackageFullName
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
Size
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
Language
|
||
\REGISTRY\A\{a8b00426-bf80-522d-9d3e-2d6c634c0c50}\Root\InventoryApplicationFile\w7kdnbzgat.exe|18d896aa6e848596
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
106A000
|
heap
|
page read and write
|
||
400000
|
remote allocation
|
page execute and read and write
|
||
534000
|
unkown
|
page read and write
|
||
440000
|
remote allocation
|
page execute and read and write
|
||
1B08D000
|
stack
|
page read and write
|
||
CFC000
|
stack
|
page read and write
|
||
1AE4E000
|
stack
|
page read and write
|
||
2D1F000
|
stack
|
page read and write
|
||
2AD0000
|
heap
|
page read and write
|
||
439000
|
remote allocation
|
page execute and read and write
|
||
9D0000
|
heap
|
page read and write
|
||
13BF000
|
stack
|
page read and write
|
||
2ABC000
|
stack
|
page read and write
|
||
1260000
|
heap
|
page read and write
|
||
2197C000
|
stack
|
page read and write
|
||
1170000
|
heap
|
page read and write
|
||
CFD000
|
stack
|
page read and write
|
||
10F7000
|
heap
|
page read and write
|
||
534000
|
unkown
|
page write copy
|
||
2BEE000
|
stack
|
page read and write
|
||
55D000
|
unkown
|
page readonly
|
||
4A0000
|
unkown
|
page readonly
|
||
115F000
|
stack
|
page read and write
|
||
9F0000
|
heap
|
page read and write
|
||
55D000
|
unkown
|
page readonly
|
||
1B3DE000
|
stack
|
page read and write
|
||
97D000
|
stack
|
page read and write
|
||
1060000
|
heap
|
page read and write
|
||
21800000
|
heap
|
page read and write
|
||
1B28E000
|
stack
|
page read and write
|
||
1ACB0000
|
heap
|
page read and write
|
||
10C8000
|
heap
|
page read and write
|
||
2CDE000
|
stack
|
page read and write
|
||
55A000
|
unkown
|
page read and write
|
||
2D87000
|
heap
|
page read and write
|
||
E2E000
|
heap
|
page read and write
|
||
1A95F000
|
stack
|
page read and write
|
||
4A0000
|
unkown
|
page readonly
|
||
10DD000
|
heap
|
page read and write
|
||
431000
|
remote allocation
|
page execute and read and write
|
||
1B10E000
|
stack
|
page read and write
|
||
523000
|
unkown
|
page readonly
|
||
4A1000
|
unkown
|
page execute read
|
||
9E0000
|
heap
|
page read and write
|
||
550000
|
remote allocation
|
page execute and read and write
|
||
1AD0E000
|
stack
|
page read and write
|
||
4A1000
|
unkown
|
page execute read
|
||
E2A000
|
heap
|
page read and write
|
||
1B4DF000
|
stack
|
page read and write
|
||
1B20F000
|
stack
|
page read and write
|
||
2C30000
|
heap
|
page read and write
|
||
2C2F000
|
stack
|
page read and write
|
||
1B38E000
|
stack
|
page read and write
|
||
215DB000
|
stack
|
page read and write
|
||
217E0000
|
heap
|
page read and write
|
||
1B63A000
|
heap
|
page read and write
|
||
435000
|
remote allocation
|
page execute and read and write
|
||
1A85E000
|
stack
|
page read and write
|
||
E10000
|
direct allocation
|
page execute and read and write
|
||
12BE000
|
stack
|
page read and write
|
||
10AD000
|
heap
|
page read and write
|
||
523000
|
unkown
|
page readonly
|
||
E0E000
|
stack
|
page read and write
|
||
105E000
|
stack
|
page read and write
|
||
13EC000
|
heap
|
page read and write
|
||
216DB000
|
stack
|
page read and write
|
||
1AF4C000
|
stack
|
page read and write
|
||
DFC000
|
stack
|
page read and write
|
||
1AE0F000
|
stack
|
page read and write
|
||
2187C000
|
stack
|
page read and write
|
||
54D000
|
remote allocation
|
page execute and read and write
|
||
13E0000
|
heap
|
page read and write
|
||
1B530000
|
heap
|
page read and write
|
||
101E000
|
stack
|
page read and write
|
||
1250000
|
heap
|
page read and write
|
||
2C90000
|
heap
|
page read and write
|
||
1165000
|
heap
|
page read and write
|
||
1AF8E000
|
stack
|
page read and write
|
||
636000
|
remote allocation
|
page execute and read and write
|
||
DF5000
|
stack
|
page read and write
|
||
2D80000
|
heap
|
page read and write
|
||
E20000
|
heap
|
page read and write
|
||
1160000
|
heap
|
page read and write
|
||
47E0000
|
heap
|
page read and write
|
||
2A7C000
|
stack
|
page read and write
|
There are 75 hidden memdumps, click here to show them.