Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
oKum4jX2X3.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oKum4jX2X3.exe_191381801ad4fe6c122dc2498611b5a1e350bf_541013f9_3e2afe93-3dea-4a7d-b83e-fba8f47422bc\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oKum4jX2X3.exe_191381801ad4fe6c122dc2498611b5a1e350bf_541013f9_50e3793f-7b05-4aef-b8e3-c50a8638cc72\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
modified
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oKum4jX2X3.exe_191381801ad4fe6c122dc2498611b5a1e350bf_541013f9_58252755-2107-4ef2-8b28-818a4354bc0f\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oKum4jX2X3.exe_191381801ad4fe6c122dc2498611b5a1e350bf_541013f9_66322eca-4aa1-42f3-bd27-477ae8c76dce\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oKum4jX2X3.exe_191381801ad4fe6c122dc2498611b5a1e350bf_541013f9_6cf73236-e2a5-43c4-b561-d6e5c895944f\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oKum4jX2X3.exe_191381801ad4fe6c122dc2498611b5a1e350bf_541013f9_9b566d27-e685-4b71-9840-c4da2456b45b\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oKum4jX2X3.exe_933cbb2eb05ebec475c6d397c4327c136623696_541013f9_925ab90e-7cec-4efe-a26e-8e7c76e3dbc9\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C79.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 18:58:56 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D65.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D95.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F87.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 18:58:57 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3082.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER30C1.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3236.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 18:58:58 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER32A4.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER32C5.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3488.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 18:58:58 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3515.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3536.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3989.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 18:58:59 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER39E8.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A27.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3BCB.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 18:59:00 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C88.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CA8.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER60C8.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 18:59:10 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6240.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER627F.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\dotnet-runtime-8.0.1-win-x86[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\dotnet-runtime-8.0.1-win-x86.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 22 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\oKum4jX2X3.exe
|
"C:\Users\user\Desktop\oKum4jX2X3.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 724
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 732
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 764
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 772
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 980
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 1012
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 1304
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://upx.sf.net
|
unknown
|
||
|
http://appsyndication.org/2006/appsynapplicationc:
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
185.172.128.90
|
unknown
|
Russian Federation
|
|
|
|
5.42.64.3
|
unknown
|
Russian Federation
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
ProgramId
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
FileId
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
LongPathHash
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
Name
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
OriginalFileName
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
Publisher
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
Version
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
BinFileVersion
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
BinaryType
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
ProductName
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
ProductVersion
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
LinkDate
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
BinProductVersion
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
Size
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
Language
|
||
|
\REGISTRY\A\{91c2d7c2-020f-a359-8f9a-b300228e2cf9}\Root\InventoryApplicationFile\okum4jx2x3.exe|ae7e3479acd668a4
|
Usn
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
|
0018400CF081ADAB
|
There are 13 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2790000
|
direct allocation
|
page read and write
|
|
|
|
3856000
|
heap
|
page read and write
|
||
|
38A7000
|
heap
|
page read and write
|
||
|
3AF9000
|
heap
|
page read and write
|
||
|
3992000
|
heap
|
page read and write
|
||
|
385F000
|
heap
|
page read and write
|
||
|
3634000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
3896000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
3793000
|
heap
|
page read and write
|
||
|
363D000
|
heap
|
page read and write
|
||
|
3637000
|
heap
|
page read and write
|
||
|
36CE000
|
heap
|
page read and write
|
||
|
39D6000
|
heap
|
page read and write
|
||
|
383A000
|
heap
|
page read and write
|
||
|
3637000
|
heap
|
page read and write
|
||
|
3632000
|
heap
|
page read and write
|
||
|
3820000
|
heap
|
page read and write
|
||
|
363B000
|
heap
|
page read and write
|
||
|
3877000
|
heap
|
page read and write
|
||
|
3634000
|
heap
|
page read and write
|
||
|
3B11000
|
heap
|
page read and write
|
||
|
3850000
|
heap
|
page read and write
|
||
|
376F000
|
heap
|
page read and write
|
||
|
3956000
|
heap
|
page read and write
|
||
|
383F000
|
heap
|
page read and write
|
||
|
381C000
|
heap
|
page read and write
|
||
|
37A1000
|
heap
|
page read and write
|
||
|
3632000
|
heap
|
page read and write
|
||
|
37E0000
|
heap
|
page read and write
|
||
|
37C2000
|
heap
|
page read and write
|
||
|
36EA000
|
heap
|
page read and write
|
||
|
363C000
|
heap
|
page read and write
|
||
|
3922000
|
heap
|
page read and write
|
||
|
3B5C000
|
heap
|
page read and write
|
||
|
419000
|
unkown
|
page write copy
|
||
|
3315000
|
heap
|
page read and write
|
||
|
38F0000
|
heap
|
page read and write
|
||
|
3721000
|
heap
|
page read and write
|
||
|
3ACC000
|
heap
|
page read and write
|
||
|
363D000
|
heap
|
page read and write
|
||
|
3639000
|
heap
|
page read and write
|
||
|
36E3000
|
heap
|
page read and write
|
||
|
38DB000
|
heap
|
page read and write
|
||
|
3637000
|
heap
|
page read and write
|
||
|
3A41000
|
heap
|
page read and write
|
||
|
363A000
|
heap
|
page read and write
|
||
|
3633000
|
heap
|
page read and write
|
||
|
3BB5000
|
heap
|
page read and write
|
||
|
3315000
|
heap
|
page read and write
|
||
|
363D000
|
heap
|
page read and write
|
||
|
3709000
|
heap
|
page read and write
|
||
|
3786000
|
heap
|
page read and write
|
||
|
3631000
|
heap
|
page read and write
|
||
|
376F000
|
heap
|
page read and write
|
||
|
38A6000
|
heap
|
page read and write
|
||
|
3634000
|
heap
|
page read and write
|
||
|
3315000
|
heap
|
page read and write
|
||
|
3638000
|
heap
|
page read and write
|
||
|
41E000
|
unkown
|
page write copy
|
||
|
38F3000
|
heap
|
page read and write
|
||
|
3631000
|
heap
|
page read and write
|
||
|
3728000
|
heap
|
page read and write
|
||
|
3807000
|
heap
|
page read and write
|
||
|
410000
|
unkown
|
page readonly
|
||
|
AF2000
|
unkown
|
page readonly
|
||
|
3633000
|
heap
|
page read and write
|
||
|
3B83000
|
heap
|
page read and write
|
||
|
3637000
|
heap
|
page read and write
|
||
|
3639000
|
heap
|
page read and write
|
||
|
37A9000
|
heap
|
page read and write
|
||
|
38DA000
|
heap
|
page read and write
|
||
|
37DA000
|
heap
|
page read and write
|
||
|
38C4000
|
heap
|
page read and write
|
||
|
363A000
|
heap
|
page read and write
|
||
|
363F000
|
heap
|
page read and write
|
||
|
3637000
|
heap
|
page read and write
|
||
|
3A8D000
|
heap
|
page read and write
|
||
|
374D000
|
heap
|
page read and write
|
||
|
37EA000
|
heap
|
page read and write
|
||
|
3636000
|
heap
|
page read and write
|
||
|
3887000
|
heap
|
page read and write
|
||
|
38DB000
|
heap
|
page read and write
|
||
|
375C000
|
heap
|
page read and write
|
||
|
3631000
|
heap
|
page read and write
|
||
|
3A02000
|
heap
|
page read and write
|
||
|
363A000
|
heap
|
page read and write
|
||
|
3431000
|
heap
|
page read and write
|
There are 79 hidden memdumps, click here to show them.