Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Ou0ZT4968y.exe
|
PE32 executable (console) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ou0ZT4968y.exe_c69ec5e350e75532f4a4b55ffe3a71c9ab2f95_dac8cab9_132de5cf\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ou0ZT4968y.exe_6d94c01abebf2aab25e322aa91a877df2b8acdd6_dac8cab9_0497fefa\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBFE.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Nov 24 18:54:14 2022, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD28.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDC5.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFF8.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Nov 25 03:47:14 2022, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1AF.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE24C.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\Ou0ZT4968y.exe
|
C:\Users\user\Desktop\Ou0ZT4968y.exe
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
|
unknown
|
||
|
https://gcc.gnu.org/bugs/):
|
unknown
|
||
|
https://sectigo.com/CPS0
|
unknown
|
||
|
https://studio.youtube.comSAPISIDHASH
|
unknown
|
||
|
https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx
|
unknown
|
||
|
http://ocsp.sectigo.com0
|
unknown
|
||
|
https://studio.youtube.com
|
unknown
|
||
|
https://studio.youtube.com/reauth
|
unknown
|
||
|
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
|
AmiHivePermissionsCorrect
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
|
AmiHiveOwnerCorrect
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
ProgramId
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
FileId
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
LongPathHash
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
Name
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
Publisher
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
Version
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
BinFileVersion
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
BinaryType
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
ProductName
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
ProductVersion
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
LinkDate
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
BinProductVersion
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
Size
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
Language
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
IsPeFile
|
||
|
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
|
IsOsComponent
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
|
ExceptionRecord
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
|
00184006417502B9
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
ProgramId
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
FileId
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
LongPathHash
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
Name
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
Publisher
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
Version
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
BinFileVersion
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
BinaryType
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
ProductName
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
ProductVersion
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
LinkDate
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
BinProductVersion
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
Size
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
Language
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
IsPeFile
|
||
|
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
|
IsOsComponent
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
|
00184009DD6AB7DA
|
There are 32 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1140000
|
trusted library allocation
|
page read and write
|
||
|
8FA96FA000
|
stack
|
page read and write
|
||
|
1250000
|
remote allocation
|
page read and write
|
||
|
CD3000
|
unkown
|
page execute and read and write
|
||
|
1170000
|
heap
|
page read and write
|
||
|
4C5F000
|
remote allocation
|
page read and write
|
||
|
1E8FBA70000
|
heap
|
page read and write
|
||
|
4E9B000
|
trusted library allocation
|
page read and write
|
||
|
1E8FC750000
|
trusted library allocation
|
page read and write
|
||
|
8FA97FE000
|
stack
|
page read and write
|
||
|
163F000
|
direct allocation
|
page execute and read and write
|
||
|
CD3000
|
unkown
|
page execute and read and write
|
||
|
1E8FBB3D000
|
heap
|
page read and write
|
||
|
1300000
|
heap
|
page read and write
|
||
|
23C21902000
|
trusted library allocation
|
page read and write
|
||
|
D80000
|
heap
|
page read and write
|
||
|
1140000
|
trusted library allocation
|
page read and write
|
||
|
1300000
|
heap
|
page read and write
|
||
|
1E8FBB3A000
|
heap
|
page read and write
|
||
|
CD3000
|
unkown
|
page execute and read and write
|
||
|
23C21770000
|
trusted library allocation
|
page read and write
|
||
|
8FA98F9000
|
stack
|
page read and write
|
||
|
A6A000
|
unkown
|
page read and write
|
||
|
1E8FBB5E000
|
heap
|
page read and write
|
||
|
D4F000
|
unkown
|
page read and write
|
||
|
D80000
|
unkown
|
page read and write
|
||
|
4E36000
|
heap
|
page read and write
|
||
|
D4F000
|
unkown
|
page read and write
|
||
|
9B1000
|
unkown
|
page execute read
|
||
|
1663000
|
direct allocation
|
page execute and read and write
|
||
|
4E70000
|
heap
|
page read and write
|
||
|
1E8FBB39000
|
heap
|
page read and write
|
||
|
1E8FC9D0000
|
trusted library allocation
|
page read and write
|
||
|
1400000
|
direct allocation
|
page execute and read and write
|
||
|
1E8FC9A0000
|
trusted library allocation
|
page read and write
|
||
|
23C21D00000
|
heap
|
page read and write
|
||
|
4E30000
|
heap
|
page read and write
|
||
|
4660000
|
trusted library allocation
|
page readonly
|
||
|
23C21915000
|
trusted library allocation
|
page read and write
|
||
|
4E1E000
|
stack
|
page read and write
|
||
|
1E8FBB3C000
|
heap
|
page read and write
|
||
|
4EAA000
|
trusted library allocation
|
page read and write
|
||
|
1E8FBAF0000
|
heap
|
page read and write
|
||
|
A51000
|
unkown
|
page readonly
|
||
|
1E8FC9B0000
|
heap
|
page readonly
|
||
|
D80000
|
unkown
|
page read and write
|
||
|
D56000
|
unkown
|
page readonly
|
||
|
9B0000
|
unkown
|
page readonly
|
||
|
10FD000
|
stack
|
page read and write
|
||
|
A6A000
|
unkown
|
page read and write
|
||
|
1300000
|
heap
|
page read and write
|
||
|
23C217D0000
|
heap
|
page read and write
|
||
|
23C21800000
|
unkown
|
page read and write
|
||
|
23C21828000
|
heap
|
page read and write
|
||
|
4EC0000
|
trusted library allocation
|
page read and write
|
||
|
A6A000
|
unkown
|
page read and write
|
||
|
1E8FBAA0000
|
heap
|
page read and write
|
||
|
4DDE000
|
stack
|
page read and write
|
||
|
8FA9779000
|
stack
|
page read and write
|
||
|
D54000
|
unkown
|
page readonly
|
||
|
9BB000
|
unkown
|
page execute read
|
||
|
D54000
|
unkown
|
page readonly
|
||
|
23C21802000
|
unkown
|
page read and write
|
||
|
1E8FBBF0000
|
trusted library allocation
|
page read and write
|
||
|
1140000
|
trusted library allocation
|
page read and write
|
||
|
9B0000
|
unkown
|
page readonly
|
||
|
9BB000
|
unkown
|
page execute read
|
||
|
23C21D13000
|
heap
|
page read and write
|
||
|
1E8FC760000
|
trusted library allocation
|
page read and write
|
||
|
23C21D02000
|
heap
|
page read and write
|
||
|
4EAA000
|
trusted library allocation
|
page read and write
|
||
|
4FD8000
|
heap
|
page read and write
|
||
|
4E81000
|
trusted library allocation
|
page read and write
|
||
|
46CD000
|
stack
|
page read and write
|
||
|
9B1000
|
unkown
|
page execute read
|
||
|
4650000
|
heap
|
page read and write
|
||
|
A4A000
|
unkown
|
page execute read
|
||
|
54CF000
|
stack
|
page read and write
|
||
|
9BB000
|
unkown
|
page execute read
|
||
|
4E40000
|
trusted library allocation
|
page read and write
|
||
|
10FD000
|
stack
|
page read and write
|
||
|
9BF000
|
unkown
|
page execute read
|
||
|
9EF73F9000
|
stack
|
page read and write
|
||
|
9EF6FFE000
|
stack
|
page read and write
|
||
|
1E8FBB3C000
|
heap
|
page read and write
|
||
|
4E81000
|
trusted library allocation
|
page read and write
|
||
|
23C2183C000
|
heap
|
page read and write
|
||
|
A51000
|
unkown
|
page readonly
|
||
|
23C21923000
|
heap
|
page read and write
|
||
|
9B0000
|
unkown
|
page readonly
|
||
|
4E20000
|
trusted library allocation
|
page read and write
|
||
|
23C2184C000
|
heap
|
page read and write
|
||
|
4E39000
|
heap
|
page read and write
|
||
|
9BF000
|
unkown
|
page execute read
|
||
|
1E8FC9C0000
|
trusted library allocation
|
page read and write
|
||
|
52CF000
|
stack
|
page read and write
|
||
|
23C21813000
|
unkown
|
page read and write
|
||
|
1E8FBB5A000
|
heap
|
page read and write
|
||
|
A4A000
|
unkown
|
page execute read
|
||
|
4E9B000
|
trusted library allocation
|
page read and write
|
||
|
A51000
|
unkown
|
page readonly
|
||
|
1E8FBA50000
|
heap
|
page read and write
|
||
|
1E8FBB35000
|
heap
|
page read and write
|
||
|
130A000
|
heap
|
page read and write
|
||
|
8FA934C000
|
stack
|
page read and write
|
||
|
D54000
|
unkown
|
page readonly
|
||
|
A4A000
|
unkown
|
page execute read
|
||
|
1E8FB910000
|
heap
|
page read and write
|
||
|
1E8FBAA5000
|
heap
|
page read and write
|
||
|
130A000
|
heap
|
page read and write
|
||
|
10FD000
|
stack
|
page read and write
|
||
|
1E8FCA20000
|
trusted library allocation
|
page read and write
|
||
|
DEC000
|
stack
|
page read and write
|
||
|
D56000
|
unkown
|
page readonly
|
||
|
4FD0000
|
heap
|
page read and write
|
||
|
1E8FC6E0000
|
trusted library allocation
|
page read and write
|
||
|
D4F000
|
unkown
|
page read and write
|
||
|
1E8FB920000
|
trusted library allocation
|
page read and write
|
||
|
4C5D000
|
remote allocation
|
page read and write
|
||
|
A6A000
|
unkown
|
page write copy
|
||
|
1E8FBAA9000
|
heap
|
page read and write
|
||
|
DEC000
|
stack
|
page read and write
|
||
|
9B1000
|
unkown
|
page execute read
|
||
|
1170000
|
heap
|
page read and write
|
||
|
23C21900000
|
trusted library allocation
|
page read and write
|
||
|
23C2180D000
|
unkown
|
page read and write
|
||
|
9B1000
|
unkown
|
page execute read
|
||
|
1250000
|
remote allocation
|
page read and write
|
||
|
4E94000
|
trusted library allocation
|
page read and write
|
||
|
9B0000
|
unkown
|
page readonly
|
||
|
23C2184B000
|
heap
|
page read and write
|
||
|
4EBF000
|
trusted library allocation
|
page read and write
|
||
|
9BF000
|
unkown
|
page execute read
|
||
|
23C21C13000
|
heap
|
page read and write
|
||
|
9EF6E7D000
|
stack
|
page read and write
|
||
|
D54000
|
unkown
|
page readonly
|
||
|
4E3C000
|
heap
|
page read and write
|
||
|
165F000
|
direct allocation
|
page execute and read and write
|
||
|
DEC000
|
stack
|
page read and write
|
||
|
130A000
|
heap
|
page read and write
|
||
|
D4F000
|
unkown
|
page write copy
|
||
|
1E8FBAF8000
|
heap
|
page read and write
|
||
|
A51000
|
unkown
|
page readonly
|
||
|
9BF000
|
unkown
|
page execute read
|
||
|
4C3C000
|
remote allocation
|
page read and write
|
||
|
4E86000
|
trusted library allocation
|
page read and write
|
||
|
23C21760000
|
heap
|
page read and write
|
||
|
9BB000
|
unkown
|
page execute read
|
||
|
D56000
|
unkown
|
page readonly
|
||
|
4E80000
|
trusted library allocation
|
page read and write
|
||
|
23C21C02000
|
heap
|
page read and write
|
||
|
A4A000
|
unkown
|
page execute read
|
||
|
D56000
|
unkown
|
page readonly
|
||
|
1170000
|
heap
|
page read and write
|
||
|
1E8FBB36000
|
heap
|
page read and write
|
||
|
47C9000
|
stack
|
page read and write
|
||
|
1E8FC6F0000
|
trusted library allocation
|
page read and write
|
There are 147 hidden memdumps, click here to show them.