Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
maizu v1.4.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_47f04a05abbe4c2ca5f29d3456dbda14113214_2f54229f_fa95258a-bd68-4603-8fb9-ca8424109259\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_c365489cdde0dec8a471982681e3951dad25868_2f54229f_7f47af1e-2856-4a8f-9b0f-521cc1b701db\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_c365489cdde0dec8a471982681e3951dad25868_2f54229f_d92b5131-cb13-41e5-890b-d0dd2d67f1f5\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7591.tmp.dmp
|
Mini DuMP crash report, 15 streams, Mon Oct 7 04:44:08 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER791D.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER795C.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D90.tmp.dmp
|
Mini DuMP crash report, 15 streams, Mon Oct 7 04:44:09 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E3D.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E5D.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8030.tmp.dmp
|
Mini DuMP crash report, 15 streams, Mon Oct 7 04:44:10 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER811B.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER813C.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 4 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\maizu v1.4.exe
|
"C:\Users\user\Desktop\maizu v1.4.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 1656
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 1636
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 1644
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 1572
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 1592
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
frizzettei.sbs
|
|
||
|
https://bleedminejw.buzz/api
|
104.21.17.192
|
|
|
|
bemuzzeki.sbs
|
|
||
|
invinjurhey.sbs
|
|
||
|
exilepolsiy.sbs
|
|
||
|
exemplarou.sbs
|
|
||
|
laddyirekyi.sbs
|
|
||
|
https://frizzettei.sbs/api
|
188.114.97.3
|
|
|
|
wickedneatr.sbs
|
|
||
|
isoplethui.sbs
|
|
||
|
bleedminejw.buzz
|
|
||
|
https://frizzettei.sbs/n
|
unknown
|
||
|
https://frizzettei.sbs/;
|
unknown
|
||
|
https://frizzettei.sbs/66
|
unknown
|
||
|
https://frizzettei.sbs/E
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
https://frizzettei.sbs/
|
unknown
|
||
|
https://www.cloudflare.com/5xx-error-landing
|
unknown
|
There are 8 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
frizzettei.sbs
|
188.114.97.3
|
|
|
|
bleedminejw.buzz
|
104.21.17.192
|
|
|
|
s-part-0017.t-0009.t-msedge.net
|
13.107.246.45
|
||
|
fp2e7a.wpc.phicdn.net
|
192.229.221.95
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
104.21.17.192
|
bleedminejw.buzz
|
United States
|
|
|
|
188.114.97.3
|
frizzettei.sbs
|
European Union
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProgramId
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
FileId
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LongPathHash
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Name
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
OriginalFileName
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Publisher
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Version
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinFileVersion
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinaryType
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProductName
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProductVersion
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LinkDate
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinProductVersion
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Size
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Language
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
IsOsComponent
|
||
|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Usn
|
There are 10 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
BEC000
|
unkown
|
page read and write
|
|
|
|
C44000
|
unkown
|
page execute and read and write
|
||
|
AE5000
|
heap
|
page read and write
|
||
|
EDF000
|
stack
|
page read and write
|
||
|
8FC000
|
stack
|
page read and write
|
||
|
2F7F000
|
stack
|
page read and write
|
||
|
2BAE000
|
stack
|
page read and write
|
||
|
A0E000
|
stack
|
page read and write
|
||
|
5CE000
|
stack
|
page read and write
|
||
|
D45000
|
heap
|
page read and write
|
||
|
CAC000
|
heap
|
page read and write
|
||
|
1040000
|
heap
|
page read and write
|
||
|
D38000
|
heap
|
page read and write
|
||
|
CE0000
|
heap
|
page read and write
|
||
|
C98000
|
heap
|
page read and write
|
||
|
A30000
|
heap
|
page read and write
|
||
|
272D000
|
stack
|
page read and write
|
||
|
AA0000
|
heap
|
page read and write
|
||
|
C2D000
|
stack
|
page read and write
|
||
|
BE2000
|
unkown
|
page readonly
|
||
|
BEC000
|
unkown
|
page write copy
|
||
|
BC0000
|
unkown
|
page readonly
|
||
|
A60000
|
heap
|
page read and write
|
||
|
5E0000
|
heap
|
page read and write
|
||
|
C47000
|
unkown
|
page readonly
|
||
|
8FD000
|
stack
|
page read and write
|
||
|
580000
|
heap
|
page read and write
|
||
|
C47000
|
unkown
|
page readonly
|
||
|
5F0000
|
heap
|
page read and write
|
||
|
282D000
|
stack
|
page read and write
|
||
|
2E7E000
|
stack
|
page read and write
|
||
|
57B000
|
stack
|
page read and write
|
||
|
BE2000
|
unkown
|
page readonly
|
||
|
C6D000
|
stack
|
page read and write
|
||
|
AE0000
|
heap
|
page read and write
|
||
|
A4E000
|
stack
|
page read and write
|
||
|
2CAF000
|
stack
|
page read and write
|
||
|
2CED000
|
stack
|
page read and write
|
||
|
2DED000
|
stack
|
page read and write
|
||
|
2E30000
|
heap
|
page read and write
|
||
|
400000
|
remote allocation
|
page execute and read and write
|
||
|
E8F000
|
stack
|
page read and write
|
||
|
B3F000
|
stack
|
page read and write
|
||
|
BC0000
|
unkown
|
page readonly
|
||
|
BC1000
|
unkown
|
page execute read
|
||
|
45F000
|
remote allocation
|
page execute and read and write
|
||
|
CEE000
|
heap
|
page read and write
|
||
|
A0E000
|
stack
|
page read and write
|
||
|
570000
|
heap
|
page read and write
|
||
|
CD2000
|
heap
|
page read and write
|
||
|
BC1000
|
unkown
|
page execute read
|
||
|
C45000
|
unkown
|
page read and write
|
||
|
BEF000
|
stack
|
page read and write
|
||
|
CEA000
|
heap
|
page read and write
|
||
|
C90000
|
heap
|
page read and write
|
||
|
CBD000
|
heap
|
page read and write
|
||
|
50D000
|
stack
|
page read and write
|
There are 47 hidden memdumps, click here to show them.