Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
oMBUxRQ4cj.exe
|
PE32+ executable (console) x86-64, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oMBUxRQ4cj.exe_5fd8cc97a3ec791a464adc62fb4cece4561dc271_c6605313_0bdab154-a71e-4fa1-b277-03f59eb49450\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3693.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sun Oct 20 19:10:06 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3740.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER379F.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
||
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\oMBUxRQ4cj.exe
|
"C:\Users\user\Desktop\oMBUxRQ4cj.exe"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
|
||
C:\Windows\System32\taskkill.exe
|
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerPro
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
|
||
C:\Windows\System32\sc.exe
|
sc stop HTTPDebuggerProSdk
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 2640 -s 992
|
There are 26 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
https://keyauth.win/api/1.1/64
|
unknown
|
||
http://185.101.104.122/esphvciforabronkz.exe
|
unknown
|
||
http://185.101.104.122/esphvcionbronkz.exeC:
|
unknown
|
||
http://upx.sf.net
|
unknown
|
||
https://keyauth.win/api/1.1/um
|
unknown
|
||
http://185.101.104.122/esphvciforabronkz.exeC:
|
unknown
|
||
https://curl.haxx.se/docs/http-cookies.html
|
unknown
|
||
https://curl.haxx.se/docs/http-cookies.html#
|
unknown
|
||
https://keyauth.win/api/1.2/
|
unknown
|
||
https://keyauth.win/api/1.1/
|
104.26.0.5
|
||
http://185.101.104.122/esphvcionbronkz.exe
|
unknown
|
There are 1 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
keyauth.win
|
104.26.0.5
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
104.26.0.5
|
keyauth.win
|
United States
|
||
127.0.0.1
|
unknown
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
ProgramId
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
FileId
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
LowerCaseLongPath
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
LongPathHash
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
Name
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
OriginalFileName
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
Publisher
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
Version
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
BinFileVersion
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
BinaryType
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
ProductName
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
ProductVersion
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
LinkDate
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
BinProductVersion
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
AppxPackageFullName
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
Size
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
Language
|
||
\REGISTRY\A\{7a35e9e7-fa40-e811-45f0-7d62b28e2c35}\Root\InventoryApplicationFile\ombuxrq4cj.exe|12de883989ea72de
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
1B19CDC0000
|
heap
|
page read and write
|
||
239EB320000
|
heap
|
page read and write
|
||
81A347E000
|
stack
|
page read and write
|
||
23C09FB8000
|
heap
|
page read and write
|
||
23C0A2B5000
|
heap
|
page read and write
|
||
2CEA6400000
|
heap
|
page read and write
|
||
23C09F00000
|
heap
|
page read and write
|
||
38910FF000
|
stack
|
page read and write
|
||
2CEA6270000
|
heap
|
page read and write
|
||
23C0A2B0000
|
heap
|
page read and write
|
||
7FF7E5A58000
|
unkown
|
page read and write
|
||
239EB2FA000
|
heap
|
page read and write
|
||
239EB2E9000
|
heap
|
page read and write
|
||
7FF7E59E0000
|
unkown
|
page readonly
|
||
239EB2F5000
|
heap
|
page read and write
|
||
7FF7E5A58000
|
unkown
|
page write copy
|
||
239EB2DE000
|
heap
|
page read and write
|
||
239EB320000
|
heap
|
page read and write
|
||
8F5A2EC000
|
stack
|
page read and write
|
||
7EDC99B000
|
stack
|
page read and write
|
||
239EB2F9000
|
heap
|
page read and write
|
||
239EB250000
|
remote allocation
|
page read and write
|
||
2CEA6370000
|
heap
|
page read and write
|
||
7FF7E59E1000
|
unkown
|
page execute read
|
||
81A337E000
|
stack
|
page read and write
|
||
1CC43AF0000
|
heap
|
page read and write
|
||
239EB318000
|
heap
|
page read and write
|
||
F1E867F000
|
stack
|
page read and write
|
||
7FF7E59E0000
|
unkown
|
page readonly
|
||
239EB230000
|
heap
|
page read and write
|
||
239EB250000
|
remote allocation
|
page read and write
|
||
239EE920000
|
trusted library allocation
|
page read and write
|
||
1CC43927000
|
heap
|
page read and write
|
||
47E9B7D000
|
stack
|
page read and write
|
||
275419C0000
|
heap
|
page read and write
|
||
239EB2F0000
|
heap
|
page read and write
|
||
239EB2CD000
|
heap
|
page read and write
|
||
2CEA6278000
|
heap
|
page read and write
|
||
1B19CE60000
|
heap
|
page read and write
|
||
7FF7E5A59000
|
unkown
|
page readonly
|
||
239EB29C000
|
heap
|
page read and write
|
||
239EB265000
|
heap
|
page read and write
|
||
239EB2F0000
|
heap
|
page read and write
|
||
BFE149D000
|
stack
|
page read and write
|
||
3890CCD000
|
stack
|
page read and write
|
||
239EB200000
|
heap
|
page read and write
|
||
27541D80000
|
heap
|
page read and write
|
||
239EB2F9000
|
heap
|
page read and write
|
||
275419A0000
|
heap
|
page read and write
|
||
1CC43920000
|
heap
|
page read and write
|
||
23C09FB0000
|
heap
|
page read and write
|
||
239EB1F0000
|
heap
|
page read and write
|
||
239EB2C8000
|
heap
|
page read and write
|
||
7EDCCFE000
|
stack
|
page read and write
|
||
2CEA6250000
|
heap
|
page read and write
|
||
8F5A6FE000
|
stack
|
page read and write
|
||
47E9F7E000
|
stack
|
page read and write
|
||
81A33FE000
|
unkown
|
page readonly
|
||
7EDCFFE000
|
stack
|
page read and write
|
||
239EE380000
|
heap
|
page read and write
|
||
239EB26B000
|
heap
|
page read and write
|
||
1B19CE65000
|
heap
|
page read and write
|
||
2CEA6170000
|
heap
|
page read and write
|
||
27541D85000
|
heap
|
page read and write
|
||
F1E834D000
|
stack
|
page read and write
|
||
1CC43BD0000
|
heap
|
page read and write
|
||
27541A30000
|
heap
|
page read and write
|
||
F1E877E000
|
stack
|
page read and write
|
||
7EDCDFE000
|
stack
|
page read and write
|
||
239EB2F5000
|
heap
|
page read and write
|
||
239EB250000
|
remote allocation
|
page read and write
|
||
1B19CBE0000
|
heap
|
page read and write
|
||
27541990000
|
heap
|
page read and write
|
||
1E6D5830000
|
heap
|
page read and write
|
||
239EB2F5000
|
heap
|
page read and write
|
||
7EDCEFE000
|
stack
|
page read and write
|
||
239EE480000
|
heap
|
page read and write
|
||
239ECC00000
|
heap
|
page read and write
|
||
BFE159F000
|
stack
|
page read and write
|
||
239EB260000
|
heap
|
page read and write
|
||
7FF7E5A41000
|
unkown
|
page readonly
|
||
1E6D5810000
|
heap
|
page read and write
|
||
239EE383000
|
heap
|
page read and write
|
||
81A327D000
|
stack
|
page read and write
|
||
1B19CBF0000
|
heap
|
page read and write
|
||
1B19CDE0000
|
heap
|
page read and write
|
||
1CC43B10000
|
heap
|
page read and write
|
||
1E6D5B50000
|
heap
|
page read and write
|
||
47E9E7E000
|
stack
|
page read and write
|
||
2CEA6405000
|
heap
|
page read and write
|
||
23C09EF0000
|
heap
|
page read and write
|
||
239EB320000
|
heap
|
page read and write
|
||
239EB2F9000
|
heap
|
page read and write
|
||
23C09F20000
|
heap
|
page read and write
|
||
7EDD0FE000
|
stack
|
page read and write
|
||
1E6D5B55000
|
heap
|
page read and write
|
||
1E6D5730000
|
heap
|
page read and write
|
||
239EB303000
|
heap
|
page read and write
|
||
3890DCF000
|
stack
|
page read and write
|
||
7FF7E5A41000
|
unkown
|
page readonly
|
||
7FF7E5A59000
|
unkown
|
page readonly
|
||
1B19CBF8000
|
heap
|
page read and write
|
||
1CC43BD5000
|
heap
|
page read and write
|
||
1E6D5908000
|
heap
|
page read and write
|
||
239EB290000
|
heap
|
page read and write
|
||
8F5A3EE000
|
stack
|
page read and write
|
||
1CC43900000
|
heap
|
page read and write
|
||
27541A39000
|
heap
|
page read and write
|
||
BFE18FE000
|
stack
|
page read and write
|
||
7FF7E59E1000
|
unkown
|
page execute read
|
||
1E6D5900000
|
heap
|
page read and write
|
There are 101 hidden memdumps, click here to show them.