Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
maizu v1.4.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_47f04a05abbe4c2ca5f29d3456dbda14113214_2f54229f_fa95258a-bd68-4603-8fb9-ca8424109259\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_c365489cdde0dec8a471982681e3951dad25868_2f54229f_7f47af1e-2856-4a8f-9b0f-521cc1b701db\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_c365489cdde0dec8a471982681e3951dad25868_2f54229f_d92b5131-cb13-41e5-890b-d0dd2d67f1f5\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7591.tmp.dmp
|
Mini DuMP crash report, 15 streams, Mon Oct 7 04:44:08 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER791D.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER795C.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D90.tmp.dmp
|
Mini DuMP crash report, 15 streams, Mon Oct 7 04:44:09 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E3D.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E5D.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8030.tmp.dmp
|
Mini DuMP crash report, 15 streams, Mon Oct 7 04:44:10 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER811B.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER813C.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 4 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\maizu v1.4.exe
|
"C:\Users\user\Desktop\maizu v1.4.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 1656
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 1636
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 1644
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 1572
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 1592
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
frizzettei.sbs
|
|||
https://bleedminejw.buzz/api
|
104.21.17.192
|
||
bemuzzeki.sbs
|
|||
invinjurhey.sbs
|
|||
exilepolsiy.sbs
|
|||
exemplarou.sbs
|
|||
laddyirekyi.sbs
|
|||
https://frizzettei.sbs/api
|
188.114.97.3
|
||
wickedneatr.sbs
|
|||
isoplethui.sbs
|
|||
bleedminejw.buzz
|
|||
https://frizzettei.sbs/n
|
unknown
|
||
https://frizzettei.sbs/;
|
unknown
|
||
https://frizzettei.sbs/66
|
unknown
|
||
https://frizzettei.sbs/E
|
unknown
|
||
http://upx.sf.net
|
unknown
|
||
https://frizzettei.sbs/
|
unknown
|
||
https://www.cloudflare.com/5xx-error-landing
|
unknown
|
There are 8 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
frizzettei.sbs
|
188.114.97.3
|
||
bleedminejw.buzz
|
104.21.17.192
|
||
s-part-0017.t-0009.t-msedge.net
|
13.107.246.45
|
||
fp2e7a.wpc.phicdn.net
|
192.229.221.95
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
104.21.17.192
|
bleedminejw.buzz
|
United States
|
||
188.114.97.3
|
frizzettei.sbs
|
European Union
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProgramId
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
FileId
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LowerCaseLongPath
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LongPathHash
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Name
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
OriginalFileName
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Publisher
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Version
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinFileVersion
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinaryType
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProductName
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
ProductVersion
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
LinkDate
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
BinProductVersion
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
AppxPackageFullName
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Size
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Language
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
IsOsComponent
|
||
\REGISTRY\A\{e35dbf1e-0dd9-01b5-a939-f1f408949585}\Root\InventoryApplicationFile\msbuild.exe|94596b7cc5f070ff
|
Usn
|
There are 10 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
BEC000
|
unkown
|
page read and write
|
||
C44000
|
unkown
|
page execute and read and write
|
||
AE5000
|
heap
|
page read and write
|
||
EDF000
|
stack
|
page read and write
|
||
8FC000
|
stack
|
page read and write
|
||
2F7F000
|
stack
|
page read and write
|
||
2BAE000
|
stack
|
page read and write
|
||
A0E000
|
stack
|
page read and write
|
||
5CE000
|
stack
|
page read and write
|
||
D45000
|
heap
|
page read and write
|
||
CAC000
|
heap
|
page read and write
|
||
1040000
|
heap
|
page read and write
|
||
D38000
|
heap
|
page read and write
|
||
CE0000
|
heap
|
page read and write
|
||
C98000
|
heap
|
page read and write
|
||
A30000
|
heap
|
page read and write
|
||
272D000
|
stack
|
page read and write
|
||
AA0000
|
heap
|
page read and write
|
||
C2D000
|
stack
|
page read and write
|
||
BE2000
|
unkown
|
page readonly
|
||
BEC000
|
unkown
|
page write copy
|
||
BC0000
|
unkown
|
page readonly
|
||
A60000
|
heap
|
page read and write
|
||
5E0000
|
heap
|
page read and write
|
||
C47000
|
unkown
|
page readonly
|
||
8FD000
|
stack
|
page read and write
|
||
580000
|
heap
|
page read and write
|
||
C47000
|
unkown
|
page readonly
|
||
5F0000
|
heap
|
page read and write
|
||
282D000
|
stack
|
page read and write
|
||
2E7E000
|
stack
|
page read and write
|
||
57B000
|
stack
|
page read and write
|
||
BE2000
|
unkown
|
page readonly
|
||
C6D000
|
stack
|
page read and write
|
||
AE0000
|
heap
|
page read and write
|
||
A4E000
|
stack
|
page read and write
|
||
2CAF000
|
stack
|
page read and write
|
||
2CED000
|
stack
|
page read and write
|
||
2DED000
|
stack
|
page read and write
|
||
2E30000
|
heap
|
page read and write
|
||
400000
|
remote allocation
|
page execute and read and write
|
||
E8F000
|
stack
|
page read and write
|
||
B3F000
|
stack
|
page read and write
|
||
BC0000
|
unkown
|
page readonly
|
||
BC1000
|
unkown
|
page execute read
|
||
45F000
|
remote allocation
|
page execute and read and write
|
||
CEE000
|
heap
|
page read and write
|
||
A0E000
|
stack
|
page read and write
|
||
570000
|
heap
|
page read and write
|
||
CD2000
|
heap
|
page read and write
|
||
BC1000
|
unkown
|
page execute read
|
||
C45000
|
unkown
|
page read and write
|
||
BEF000
|
stack
|
page read and write
|
||
CEA000
|
heap
|
page read and write
|
||
C90000
|
heap
|
page read and write
|
||
CBD000
|
heap
|
page read and write
|
||
50D000
|
stack
|
page read and write
|
There are 47 hidden memdumps, click here to show them.