Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

setup.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	7.647344150799475
Filename:	setup.exe
Filesize:	514560
MD5:	b0cfe4185035fc751ed0a62b1a95af98
SHA1:	dc90ec29c5da5414702e9163ae0133d207608960
SHA256:	ef5d295050a33cb9c2bd069a90855c74df58d0f7f6238885b48a6422eb6da137
SHA512:	22d2dda36d5a7a1d29560db389b4811481c6ee39158903e5debc2a95a641929317a3d487cf138bc7e06c55dd05fdd92687159e81ed5fa5d9d18b5660e5c39c24
SSDEEP:	12288:R9Z5uG0VGH6CNq93+xYg1dSjBYSuBbT+g6:vlOGaCT7ZBBbq
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........x...+...+...+z.....+z.....+z.....+k\....+k\....+z.....+...+(..+k\....+Z_....+Z_....+Z_....+Rich...+........PE..L..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection	Windows Management Instrumentation
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
One or more processes crash	System Summary
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_setup.exe_unknow_d795e61bb36a5b66a28bc5ab663876d6c3a884d6_99ceb0df_d18f51e4-4d2a-4fde-9e32-dff53f2c61f8\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_setup.exe_unknow_d795e61bb36a5b66a28bc5ab663876d6c3a884d6_99ceb0df_d18f51e4-4d2a-4fde-9e32-dff53f2c61f8\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9142851505283975
Encrypted:	false
Ssdeep:	96:H+FsQgUs1hqRouyDqPQXIDcQJc6rcEbcw3v+HbHg/1AnQECaVDPCoLnNfoU+jF9R:emQgUjO0nvh4jICBwzuiFSZ24IO83
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5570.tmp.dmp

Mini DuMP crash report, 14 streams, Mon Jul 1 22:17:01 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER5570.tmp.dmp
Category:	dropped
Dump:	WER5570.tmp.dmp.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Mon Jul 1 22:17:01 2024, 0x1205a4 type
Entropy:	2.016482351138773
Encrypted:	false
Ssdeep:	192:/szefaYiXQvrYX5lMOYs3SadhZ8JPlWvyBOUXf+1hcpz4ZG:/TbfvriDL3SafGPlWwOUX21hcgG
Size:	45772
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER564C.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER564C.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER564C.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6976837904810864
Encrypted:	false
Ssdeep:	192:R6l7wVeJ9a6qg6Y9JSU9zfgmf2JJD/Ppr+89bfdsfa1m:R6lXJA6d6YDSU9zfgmf2JJD/VfWfx
Size:	8358
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER566C.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER566C.tmp.xml
Category:	dropped
Dump:	WER566C.tmp.xml.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.491751117395461
Encrypted:	false
Ssdeep:	48:cvIwWl8zsQJg77aI9pi+yWpW8VYDYm8M4JSd+wFz+q8R+2qfydd:uIjfWI7Hi67VrJSdViFqfydd
Size:	4634
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Category:	dropped
Dump:	RegAsm.exe.log.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.33145931749415
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
Size:	3094
Whitelisted:	false
Reputation:	high

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_5
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.465273110827348
Encrypted:	false
Ssdeep:	6144:yIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNHdwBCswSbu:3XD94+WlLZMM6YFH1+u
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\setup.exe

"C:\Users\user\Desktop\setup.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5284
Target ID:	0
Parent PID:	2580
Name:	setup.exe
Path:	C:\Users\user\Desktop\setup.exe
Commandline:	"C:\Users\user\Desktop\setup.exe"
Size:	514560
MD5:	B0CFE4185035FC751ED0A62B1A95AF98
Time:	18:16:58
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x650000
Modulesize:	524288
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3704
Target ID:	2
Parent PID:	5284
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	18:16:59
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x690000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5868
Target ID:	1
Parent PID:	5284
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	18:16:58
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 156

Details

Is windows:	true
Is dropped:	false
PID:	7040
Target ID:	4
Parent PID:	5284
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 156
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	18:17:01
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xce0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

77.105.135.107:3445

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

https://www.ecosia.org/newtab/

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/Entity/Id8ResponseD

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

77.105.135.107

unknown

Russian Federation

Details

IP:	77.105.135.107
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	42031
ASN name:	PLUSTELECOM-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

ProgramId

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

FileId

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

LowerCaseLongPath

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

LongPathHash

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

Name

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

OriginalFileName

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

Publisher

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

Version

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

BinFileVersion

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

BinaryType

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

ProductName

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

ProductVersion

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

LinkDate

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

BinProductVersion

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

AppxPackageFullName

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

AppxPackageRelativeId

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

Size

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

Language

\REGISTRY\A\{b6dd40cb-0187-1b8d-2cd1-22aee9f27c2b}\Root\InventoryApplicationFile\setup.exe|22d58cc9f105fd09

Usn

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018800F9679AB7E

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

There are 19 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

681000

unkown

page read and write

402000

remote allocation

page execute and read and write

2AC1000

trusted library allocation

page read and write

2B55000

trusted library allocation

page read and write

5BE1000

heap

page read and write

733C000

stack

page read and write

2EC7000

trusted library allocation

page read and write

526F000

stack

page read and write

2F3B000

trusted library allocation

page read and write

2791000

trusted library allocation

page read and write

2F99000

trusted library allocation

page read and write

6918000

trusted library allocation

page read and write

2FFE000

trusted library allocation

page read and write

651000

unkown

page execute read

1270000

direct allocation

page execute and read and write

4F42000

trusted library allocation

page read and write

5350000

trusted library allocation

page execute and read and write

B2B000

heap

page read and write

D67000

trusted library allocation

page execute and read and write

709F000

stack

page read and write

D5A000

trusted library allocation

page execute and read and write

7A2E000

stack

page read and write

2E06000

trusted library allocation

page read and write

2EEE000

trusted library allocation

page read and write

27B5000

trusted library allocation

page read and write

5490000

trusted library allocation

page execute and read and write

852E000

stack

page read and write

2ABE000

stack

page read and write

D60000

trusted library allocation

page read and write

2F33000

trusted library allocation

page read and write

6B85000

trusted library allocation

page read and write

6B30000

trusted library allocation

page read and write

D56000

trusted library allocation

page execute and read and write

3ACF000

trusted library allocation

page read and write

6920000

heap

page read and write

2FC1000

trusted library allocation

page read and write

B10000

trusted library allocation

page read and write

2DF1000

trusted library allocation

page read and write

2FFB000

trusted library allocation

page read and write

DC0000

heap

page read and write

5C20000

heap

page read and write

6030000

trusted library allocation

page execute and read and write

D90000

trusted library allocation

page execute and read and write

52E0000

trusted library allocation

page read and write

3AC1000

trusted library allocation

page read and write

5C23000

heap

page read and write

5400000

trusted library allocation

page execute and read and write

D6C000

stack

page read and write

C10000

heap

page read and write

3E01000

trusted library allocation

page read and write

2C30000

heap

page read and write

650000

unkown

page readonly

3AE1000

trusted library allocation

page read and write

4F80000

trusted library allocation

page read and write

5370000

trusted library allocation

page read and write

2EF6000

trusted library allocation

page read and write

AF7000

stack

page read and write

3E43000

trusted library allocation

page read and write

5BBD000

heap

page read and write

2900000

trusted library allocation

page read and write

2FBA000

trusted library allocation

page read and write

2BF3000

trusted library allocation

page read and write

5300000

trusted library allocation

page read and write

679C000

stack

page read and write

3E35000

trusted library allocation

page read and write

6CE000

unkown

page readonly

7C5000

heap

page read and write

6C70000

trusted library allocation

page execute and read and write

6C60000

trusted library allocation

page read and write

27F0000

heap

page read and write

D34000

trusted library allocation

page read and write

52F0000

trusted library allocation

page read and write

52A1000

trusted library allocation

page read and write

5430000

trusted library allocation

page execute and read and write

548E000

stack

page read and write

2EBD000

trusted library allocation

page read and write

53F0000

trusted library allocation

page read and write

6B74000

trusted library allocation

page read and write

6950000

heap

page read and write

3E5C000

trusted library allocation

page read and write

53D0000

trusted library allocation

page execute and read and write

12B5000

heap

page read and write

6BA0000

trusted library allocation

page execute and read and write

5B79000

heap

page read and write

2FED000

trusted library allocation

page read and write

3E26000

trusted library allocation

page read and write

6B5F000

trusted library allocation

page read and write

73A000

stack

page read and write

2F96000

trusted library allocation

page read and write

6B42000

trusted library allocation

page read and write

52B0000

trusted library allocation

page read and write

4F30000

heap

page read and write

3E2B000

trusted library allocation

page read and write

6938000

heap

page read and write

2FAC000

trusted library allocation

page read and write

2ED5000

trusted library allocation

page read and write

D62000

trusted library allocation

page read and write

1280000

heap

page read and write

2FF8000

trusted library allocation

page read and write

EBE000

trusted library allocation

page read and write

7390000

heap

page read and write

5340000

trusted library allocation

page read and write

3DF7000

trusted library allocation

page read and write

529E000

trusted library allocation

page read and write

602C000

stack

page read and write

52DB000

trusted library allocation

page read and write

D3D000

trusted library allocation

page execute and read and write

129D000

heap

page read and write

6CE0000

trusted library allocation

page read and write

2796000

trusted library allocation

page read and write

3012000

trusted library allocation

page read and write

D33000

trusted library allocation

page execute and read and write

67DE000

stack

page read and write

6060000

trusted library allocation

page read and write

2E91000

trusted library allocation

page read and write

6960000

heap

page read and write

52AA000

trusted library allocation

page read and write

5EEE000

stack

page read and write

5B70000

heap

page read and write

6B40000

trusted library allocation

page read and write

6C64000

trusted library allocation

page read and write

2FA1000

trusted library allocation

page read and write

3E61000

trusted library allocation

page read and write

2F46000

trusted library allocation

page read and write

276E000

stack

page read and write

301F000

trusted library allocation

page read and write

2F30000

trusted library allocation

page read and write

6B6A000

trusted library allocation

page read and write

6CCE000

stack

page read and write

6CF0000

trusted library allocation

page read and write

2E03000

trusted library allocation

page read and write

6B80000

trusted library allocation

page read and write

3E39000

trusted library allocation

page read and write

6B65000

trusted library allocation

page read and write

126D000

stack

page read and write

738E000

stack

page read and write

4F93000

heap

page execute and read and write

4F90000

heap

page execute and read and write

7B2E000

stack

page read and write

53C0000

trusted library allocation

page execute and read and write

D4D000

trusted library allocation

page execute and read and write

122E000

stack

page read and write

400000

remote allocation

page execute and read and write

DD0000

heap

page read and write

28FF000

stack

page read and write

6C50000

trusted library allocation

page read and write

3006000

trusted library allocation

page read and write

2F23000

trusted library allocation

page read and write

2E0A000

trusted library allocation

page read and write

B4D000

heap

page read and write

696C000

heap

page read and write

27C0000

trusted library allocation

page read and write

2DF7000

trusted library allocation

page read and write

7340000

trusted library allocation

page read and write

5C5D000

heap

page read and write

6994000

heap

page read and write

6B49000

trusted library allocation

page read and write

7F8B0000

trusted library allocation

page execute and read and write

6946000

heap

page read and write

27A2000

trusted library allocation

page read and write

2DF4000

trusted library allocation

page read and write

5EAF000

stack

page read and write

2F93000

trusted library allocation

page read and write

D6B000

trusted library allocation

page execute and read and write

EB0000

trusted library allocation

page read and write

650000

unkown

page readonly

6C80000

trusted library allocation

page read and write

29B0000

heap

page read and write

6980000

heap

page read and write

2C1E000

stack

page read and write

695A000

heap

page read and write

D52000

trusted library allocation

page read and write

3D42000

trusted library allocation

page read and write

4F00000

heap

page read and write

72E0000

trusted library allocation

page execute and read and write

681000

unkown

page write copy

10FC000

stack

page read and write

5BF2000

heap

page read and write

72DD000

stack

page read and write

E5E000

stack

page read and write

4F6A000

trusted library allocation

page read and write

5BF8000

heap

page read and write

2F2D000

trusted library allocation

page read and write

4F60000

trusted library allocation

page read and write

2EE0000

trusted library allocation

page read and write

E1E000

stack

page read and write

2908000

trusted library allocation

page read and write

52D5000

trusted library allocation

page read and write

5440000

heap

page execute and read and write

2D6C000

trusted library allocation

page read and write

6B58000

trusted library allocation

page read and write

D2E000

stack

page read and write

2770000

trusted library allocation

page read and write

C0B000

heap

page read and write

6CE000

unkown

page readonly

27F3000

heap

page read and write

5DAE000

stack

page read and write

5C38000

heap

page read and write

6B82000

trusted library allocation

page read and write

2DE0000

trusted library allocation

page read and write

3DCF000

trusted library allocation

page read and write

2774000

trusted library allocation

page read and write

5410000

trusted library allocation

page read and write

EC0000

heap

page read and write

279D000

trusted library allocation

page read and write

5C0D000

heap

page read and write

53E0000

trusted library allocation

page read and write

D80000

trusted library allocation

page read and write

5D6E000

stack

page read and write

676000

unkown

page readonly

8930000

heap

page read and write

B69000

heap

page read and write

6CD0000

trusted library allocation

page execute and read and write

701E000

stack

page read and write

2ECD000

trusted library allocation

page read and write

7C0000

heap

page read and write

D40000

trusted library allocation

page read and write

6985000

heap

page read and write

5C43000

heap

page read and write

5281000

trusted library allocation

page read and write

651000

unkown

page execute read

5420000

trusted library allocation

page read and write

2F21000

trusted library allocation

page read and write

278E000

trusted library allocation

page read and write

527B000

trusted library allocation

page read and write

5FEF000

stack

page read and write

7A0000

heap

page read and write

27B0000

trusted library allocation

page read and write

EA0000

trusted library allocation

page read and write

430000

remote allocation

page execute and read and write

DD0000

heap

page read and write

B5B000

heap

page read and write

4BBC000

stack

page read and write

52C1000

trusted library allocation

page read and write

5C07000

heap

page read and write

3E4F000

trusted library allocation

page read and write

6C0D000

stack

page read and write

2F87000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

5292000

trusted library allocation

page read and write

4F65000

trusted library allocation

page read and write

6B6F000

trusted library allocation

page read and write

68DC000

stack

page read and write

3E3B000

trusted library allocation

page read and write

2ECA000

trusted library allocation

page read and write

5286000

trusted library allocation

page read and write

D65000

trusted library allocation

page execute and read and write

DD6000

heap

page read and write

435000

remote allocation

page execute and read and write

2D3D000

stack

page read and write

5C3B000

heap

page read and write

3E1B000

trusted library allocation

page read and write

516E000

stack

page read and write

52D0000

trusted library allocation

page read and write

D30000

trusted library allocation

page read and write

5C66000

heap

page read and write

8946000

heap

page read and write

52DE000

trusted library allocation

page read and write

6B70000

trusted library allocation

page read and write

B20000

heap

page read and write

7B0000

heap

page read and write

2DFF000

trusted library allocation

page read and write

4F68000

trusted library allocation

page read and write

DE0000

heap

page read and write

691B000

trusted library allocation

page read and write

27E0000

trusted library allocation

page read and write

6B90000

trusted library allocation

page read and write

71DE000

stack

page read and write

D50000

trusted library allocation

page read and write

2F54000

trusted library allocation

page read and write

70A0000

heap

page read and write

6B45000

trusted library allocation

page read and write

5C03000

heap

page read and write

11E0000

heap

page read and write

DB0000

heap

page execute and read and write

676000

unkown

page readonly

2F5C000

trusted library allocation

page read and write

3D03000

trusted library allocation

page read and write

E9C000

stack

page read and write

444000

remote allocation

page execute and read and write

6C4E000

stack

page read and write

2DD8000

trusted library allocation

page read and write

73DE000

stack

page read and write

DC0000

trusted library allocation

page read and write

6910000

trusted library allocation

page read and write

705E000

stack

page read and write

5270000

trusted library allocation

page read and write

4F50000

trusted library allocation

page execute and read and write

5310000

trusted library allocation

page read and write

6B5A000

trusted library allocation

page read and write

6050000

heap

page read and write

3E0C000

trusted library allocation

page read and write

3BE3000

trusted library allocation

page read and write

2EBB000

trusted library allocation

page read and write

DDB000

heap

page read and write

4F40000

trusted library allocation

page read and write

128B000

heap

page read and write

DA0000

trusted library allocation

page read and write

BCA000

heap

page read and write

277B000

trusted library allocation

page read and write

There are 290 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
setup.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsetup.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
setup.exe