Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.299279831448098
Filename:	file.exe
Filesize:	957440
MD5:	5d505724b7a084217d7db6b2710d8613
SHA1:	f444284be57973aa0d2fa22cdea4e3a639bdb6c4
SHA256:	c4024302b2f74461f6aecd5ca2f2889fa8ed48a420cb2176ae782368e2c5c6eb
SHA512:	bcc79a8856aa5aee6349d602d75c2c1c615a12502d1256b044572b69bb3ac3bb9632a4b61956d41c7186a3d97dcf376968983bd16b417a8dcd89ecc4aeef42d0
SSDEEP:	24576:fl5DVdQCg30luJ6ku5xTXKALkQHZqG2X3XY2QXVROMRm6R:tMEYJ6ku5d8kZqRX3o3XV0MRm6R
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........~...-...-...-\..,...-\..,&..-\..,...-Mb.,...-Mb.,...-\..,...-...-...-Mb.,...-\|a.,...-\|a.,...-\|a.-...-\|a.,...-Rich...-.......

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the PEB	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
One or more processes crash	System Summary
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to modify the execution of threads in other processes		Security Software Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_a35f85a9697e8c5bfcd541ff1e0c59facae73a9_33636041_10cb29f1-59b3-47ba-8a2b-bf10dbfe6815\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_a35f85a9697e8c5bfcd541ff1e0c59facae73a9_33636041_10cb29f1-59b3-47ba-8a2b-bf10dbfe6815\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.7030705390227604
Encrypted:	false
Ssdeep:	192:UQDd5EhmOvYPliftiX0c20cI3jGGzuiFTZ24IO8TVB1:v+YNiFikc20bjHzuiFTY4IO8X1
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F49.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Jul 2 15:18:55 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F49.tmp.dmp
Category:	dropped
Dump:	WER1F49.tmp.dmp.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Tue Jul 2 15:18:55 2024, 0x1205a4 type
Entropy:	1.7111999058470664
Encrypted:	false
Ssdeep:	192:BNiW4aByD4tOa0Osz3S8yZMe7najYvTfkuNeUxzl:avkyjOszi7ZMe7aMLVJ
Size:	55812
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FE7.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FE7.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER1FE7.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6907319056445425
Encrypted:	false
Ssdeep:	192:R6l7wVeJdCL6mE96Y9XwSU06ZgmfBWViN0pD989buhsfcjd5Gam:R6lXJE6/6YtwSU06Zgmf8UNDuafcxo
Size:	8258
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2007.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER2007.tmp.xml
Category:	dropped
Dump:	WER2007.tmp.xml.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.4274154951868985
Encrypted:	false
Ssdeep:	48:cvIwWl8zsWiJg77aI9kPWpW8VYdAYm8M4JIMXLFP+q8Z8vNq8PYd:uIjfWwI72e7V0NJISFm8lqsYd
Size:	4537
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Category:	dropped
Dump:	RegAsm.exe.log.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.33145931749415
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
Size:	3094
Whitelisted:	false
Reputation:	high

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_5
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.4653200516686375
Encrypted:	false
Ssdeep:	6144:SIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbc:XXD94+WlLZMM6YFH1+c
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6724
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	957440
MD5:	5D505724B7A084217D7DB6B2710D8613
Time:	11:18:54
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe0000
Modulesize:	978944
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6804
Target ID:	1
Parent PID:	6724
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	11:18:54
Date:	02/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xac0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 312

Details

Is windows:	true
Is dropped:	false
PID:	7048
Target ID:	4
Parent PID:	6724
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 312
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	11:18:55
Date:	02/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xdc0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

77.105.135.107:3445

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

https://www.ecosia.org/newtab/

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/Entity/Id8ResponseD

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

77.105.135.107

unknown

Russian Federation

Details

IP:	77.105.135.107
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	42031
ASN name:	PLUSTELECOM-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProgramId

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

FileId

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LowerCaseLongPath

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LongPathHash

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Name

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

OriginalFileName

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Publisher

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Version

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinFileVersion

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinaryType

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProductName

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProductVersion

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LinkDate

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinProductVersion

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

AppxPackageFullName

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

AppxPackageRelativeId

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Size

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Language

\REGISTRY\A\{fc41c855-b6bf-9245-3dbf-3a660598a0d0}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Usn

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

There are 16 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2EA1000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

2F35000

trusted library allocation

page read and write

17A000

unkown

page read and write

ACE000

stack

page read and write

55D0000

trusted library allocation

page read and write

33EC000

trusted library allocation

page read and write

6F0F000

heap

page read and write

757E000

stack

page read and write

11A4000

trusted library allocation

page read and write

3322000

trusted library allocation

page read and write

591C000

heap

page read and write

52EB000

trusted library allocation

page read and write

6FBE000

heap

page read and write

30B4000

trusted library allocation

page read and write

59B0000

trusted library allocation

page execute and read and write

E0000

unkown

page readonly

710F000

trusted library allocation

page read and write

5600000

heap

page read and write

30A9000

trusted library allocation

page read and write

7200000

trusted library allocation

page execute and read and write

3EC9000

trusted library allocation

page read and write

5360000

heap

page read and write

2890000

heap

page read and write

5400000

trusted library allocation

page read and write

1220000

trusted library allocation

page execute and read and write

105F000

heap

page read and write

11D7000

trusted library allocation

page execute and read and write

11C0000

trusted library allocation

page read and write

3EA1000

trusted library allocation

page read and write

7132000

trusted library allocation

page read and write

2FDD000

trusted library allocation

page read and write

3ED5000

trusted library allocation

page read and write

58BC000

heap

page read and write

763B000

stack

page read and write

2E5B000

stack

page read and write

B1E000

heap

page read and write

B1A000

heap

page read and write

6340000

trusted library allocation

page execute and read and write

6EE0000

heap

page read and write

3EE3000

trusted library allocation

page read and write

58E0000

heap

page read and write

3394000

trusted library allocation

page read and write

33E1000

trusted library allocation

page read and write

633C000

stack

page read and write

711A000

trusted library allocation

page read and write

11C2000

trusted library allocation

page read and write

B69000

stack

page read and write

77EE000

stack

page read and write

1200000

heap

page read and write

711F000

trusted library allocation

page read and write

1240000

trusted library allocation

page read and write

347B000

trusted library allocation

page read and write

2D0E000

trusted library allocation

page read and write

3056000

trusted library allocation

page read and write

7130000

trusted library allocation

page read and write

58FB000

heap

page read and write

5670000

trusted library allocation

page read and write

2E65000

trusted library allocation

page read and write

2E60000

trusted library allocation

page read and write

7120000

trusted library allocation

page read and write

3017000

trusted library allocation

page read and write

7210000

trusted library allocation

page read and write

83C000

stack

page read and write

5710000

trusted library allocation

page execute and read and write

52FE000

trusted library allocation

page read and write

E0000

unkown

page readonly

30B8000

trusted library allocation

page read and write

3316000

trusted library allocation

page read and write

53A0000

trusted library allocation

page read and write

435000

remote allocation

page execute and read and write

3ED0000

trusted library allocation

page read and write

70F0000

trusted library allocation

page read and write

D0E000

stack

page read and write

2C0F000

stack

page read and write

5850000

heap

page read and write

33FA000

trusted library allocation

page read and write

726E000

stack

page read and write

5946000

heap

page read and write

3148000

trusted library allocation

page read and write

76E0000

heap

page read and write

EF7000

stack

page read and write

58CC000

heap

page read and write

3046000

trusted library allocation

page read and write

990000

heap

page read and write

70E3000

trusted library allocation

page read and write

594D000

heap

page read and write

3050000

trusted library allocation

page read and write

B0E000

stack

page read and write

11D2000

trusted library allocation

page read and write

FFB000

heap

page read and write

5393000

heap

page execute and read and write

3EDF000

trusted library allocation

page read and write

56E0000

trusted library allocation

page execute and read and write

53E2000

trusted library allocation

page read and write

3373000

trusted library allocation

page read and write

649E000

stack

page read and write

11BD000

trusted library allocation

page execute and read and write

71EE000

stack

page read and write

332F000

trusted library allocation

page read and write

10D3000

heap

page read and write

1BC000

unkown

page read and write

11D0000

trusted library allocation

page read and write

53EE000

trusted library allocation

page read and write

6F6D000

heap

page read and write

B2D000

heap

page read and write

70F2000

trusted library allocation

page read and write

53CB000

trusted library allocation

page read and write

5620000

trusted library allocation

page read and write

2FEF000

trusted library allocation

page read and write

2B0F000

stack

page read and write

E1000

unkown

page execute read

52E4000

trusted library allocation

page read and write

311C000

trusted library allocation

page read and write

55DE000

trusted library allocation

page read and write

3402000

trusted library allocation

page read and write

10E0000

heap

page read and write

5950000

trusted library allocation

page execute and read and write

3140000

trusted library allocation

page read and write

3439000

trusted library allocation

page read and write

33D6000

trusted library allocation

page read and write

3EC1000

trusted library allocation

page read and write

2E70000

trusted library allocation

page read and write

53C0000

trusted library allocation

page read and write

300F000

trusted library allocation

page read and write

6D37000

trusted library allocation

page read and write

7640000

trusted library allocation

page read and write

61FE000

stack

page read and write

6EEC000

heap

page read and write

10DA000

heap

page read and write

3EAF000

trusted library allocation

page read and write

56D0000

trusted library allocation

page execute and read and write

70F5000

trusted library allocation

page read and write

32FE000

trusted library allocation

page read and write

53D6000

trusted library allocation

page read and write

6F09000

heap

page read and write

6C2E000

stack

page read and write

5840000

trusted library allocation

page read and write

BE0000

heap

page read and write

5918000

heap

page read and write

3077000

trusted library allocation

page read and write

2E1E000

stack

page read and write

1031000

heap

page read and write

6F17000

heap

page read and write

6E40000

trusted library allocation

page execute and read and write

10F0000

heap

page read and write

3495000

trusted library allocation

page read and write

710A000

trusted library allocation

page read and write

60BE000

stack

page read and write

75BE000

stack

page read and write

3119000

trusted library allocation

page read and write

3186000

trusted library allocation

page read and write

6D2D000

stack

page read and write

5660000

trusted library allocation

page execute and read and write

6F79000

heap

page read and write

56F0000

trusted library allocation

page read and write

6BD0000

heap

page read and write

2FE0000

trusted library allocation

page read and write

76CE000

stack

page read and write

E0F000

stack

page read and write

5960000

heap

page execute and read and write

7290000

trusted library allocation

page read and write

6F52000

heap

page read and write

55B0000

trusted library allocation

page read and write

59AE000

stack

page read and write

71F0000

trusted library allocation

page read and write

3387000

trusted library allocation

page read and write

2C4E000

stack

page read and write

6F2E000

heap

page read and write

305E000

trusted library allocation

page read and write

75FF000

stack

page read and write

32D2000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

2CF0000

trusted library allocation

page read and write

33D3000

trusted library allocation

page read and write

9A0000

heap

page read and write

10DC000

heap

page read and write

34CD000

trusted library allocation

page read and write

343F000

trusted library allocation

page read and write

5700000

trusted library allocation

page read and write

7806000

heap

page read and write

530D000

trusted library allocation

page read and write

330E000

trusted library allocation

page read and write

6FA5000

heap

page read and write

339C000

trusted library allocation

page read and write

55F0000

trusted library allocation

page read and write

168000

unkown

page readonly

659C000

stack

page read and write

592C000

heap

page read and write

70F9000

trusted library allocation

page read and write

7124000

trusted library allocation

page read and write

113E000

stack

page read and write

5830000

trusted library allocation

page read and write

6FDB000

heap

page read and write

58F5000

heap

page read and write

3489000

trusted library allocation

page read and write

768E000

stack

page read and write

307F000

trusted library allocation

page read and write

7270000

trusted library allocation

page execute and read and write

71AD000

stack

page read and write

58FF000

heap

page read and write

78F1000

trusted library allocation

page read and write

7280000

trusted library allocation

page execute and read and write

6D40000

heap

page read and write

3470000

trusted library allocation

page read and write

8EDE000

stack

page read and write

310F000

trusted library allocation

page read and write

7115000

trusted library allocation

page read and write

11A3000

trusted library allocation

page execute and read and write

30C2000

trusted library allocation

page read and write

2FF6000

trusted library allocation

page read and write

6D35000

trusted library allocation

page read and write

3460000

trusted library allocation

page read and write

5906000

heap

page read and write

7108000

trusted library allocation

page read and write

77F0000

heap

page read and write

2FEB000

trusted library allocation

page read and write

11C6000

trusted library allocation

page execute and read and write

10F5000

heap

page read and write

6EE2000

heap

page read and write

6F4C000

heap

page read and write

6F36000

heap

page read and write

3053000

trusted library allocation

page read and write

273D000

stack

page read and write

1C9000

unkown

page readonly

11DB000

trusted library allocation

page execute and read and write

31F8000

trusted library allocation

page read and write

168000

unkown

page readonly

283D000

stack

page read and write

3127000

trusted library allocation

page read and write

93D000

stack

page read and write

6F63000

heap

page read and write

2FE3000

trusted library allocation

page read and write

1236000

heap

page read and write

70E6000

trusted library allocation

page read and write

B10000

heap

page read and write

5680000

trusted library allocation

page read and write

5372000

trusted library allocation

page read and write

55E0000

trusted library allocation

page read and write

6BC0000

trusted library allocation

page read and write

5301000

trusted library allocation

page read and write

3452000

trusted library allocation

page read and write

5390000

heap

page execute and read and write

2E90000

heap

page execute and read and write

62FF000

stack

page read and write

5926000

heap

page read and write

25FE000

stack

page read and write

2D10000

heap

page read and write

40CB000

trusted library allocation

page read and write

2F7F000

trusted library allocation

page read and write

52E0000

trusted library allocation

page read and write

5410000

heap

page read and write

7140000

trusted library allocation

page read and write

58A9000

heap

page read and write

349B000

trusted library allocation

page read and write

11A0000

trusted library allocation

page read and write

5370000

trusted library allocation

page read and write

427E000

trusted library allocation

page read and write

1260000

heap

page read and write

53FA000

trusted library allocation

page read and write

3308000

trusted library allocation

page read and write

2C58000

trusted library allocation

page read and write

5413000

heap

page read and write

11D5000

trusted library allocation

page execute and read and write

58E5000

heap

page read and write

3132000

trusted library allocation

page read and write

11F0000

trusted library allocation

page read and write

342F000

trusted library allocation

page read and write

BD0000

heap

page read and write

336D000

trusted library allocation

page read and write

32FC000

trusted library allocation

page read and write

33C9000

trusted library allocation

page read and write

32BC000

trusted library allocation

page read and write

6FB1000

heap

page read and write

3337000

trusted library allocation

page read and write

330B000

trusted library allocation

page read and write

30E3000

trusted library allocation

page read and write

8DDF000

stack

page read and write

430000

remote allocation

page execute and read and write

1024000

heap

page read and write

1230000

heap

page read and write

1190000

trusted library allocation

page read and write

7EE0000

heap

page read and write

9B0000

heap

page read and write

FF0000

heap

page read and write

3EDC000

trusted library allocation

page read and write

53AA000

trusted library allocation

page read and write

342D000

trusted library allocation

page read and write

1C9000

unkown

page readonly

3370000

trusted library allocation

page read and write

6D30000

trusted library allocation

page read and write

53F1000

trusted library allocation

page read and write

2840000

direct allocation

page execute and read and write

26FE000

stack

page read and write

5320000

trusted library allocation

page read and write

30DC000

trusted library allocation

page read and write

2FF2000

trusted library allocation

page read and write

7220000

trusted library allocation

page read and write

7135000

trusted library allocation

page read and write

53A8000

trusted library allocation

page read and write

6F05000

heap

page read and write

644C000

stack

page read and write

31AA000

trusted library allocation

page read and write

6EF8000

heap

page read and write

17A000

unkown

page write copy

444000

remote allocation

page execute and read and write

5380000

trusted library allocation

page execute and read and write

10D7000

heap

page read and write

6F43000

heap

page read and write

58F2000

heap

page read and write

1250000

trusted library allocation

page read and write

337B000

trusted library allocation

page read and write

33D9000

trusted library allocation

page read and write

55D5000

trusted library allocation

page read and write

3069000

trusted library allocation

page read and write

123B000

heap

page read and write

61BE000

stack

page read and write

4F9B000

stack

page read and write

11AD000

trusted library allocation

page execute and read and write

31FA000

trusted library allocation

page read and write

5610000

trusted library allocation

page read and write

53D1000

trusted library allocation

page read and write

6F2B000

heap

page read and write

3F22000

trusted library allocation

page read and write

3044000

trusted library allocation

page read and write

55C1000

trusted library allocation

page read and write

311F000

trusted library allocation

page read and write

3001000

trusted library allocation

page read and write

55DB000

trusted library allocation

page read and write

5650000

trusted library allocation

page read and write

33C7000

trusted library allocation

page read and write

7FCB0000

trusted library allocation

page execute and read and write

3362000

trusted library allocation

page read and write

343C000

trusted library allocation

page read and write

70E0000

trusted library allocation

page read and write

6F87000

heap

page read and write

3447000

trusted library allocation

page read and write

590E000

heap

page read and write

30CE000

trusted library allocation

page read and write

117E000

stack

page read and write

E1000

unkown

page execute read

10CB000

heap

page read and write

2C50000

trusted library allocation

page read and write

2D00000

trusted library allocation

page read and write

2F77000

trusted library allocation

page read and write

607E000

stack

page read and write

11B0000

trusted library allocation

page read and write

5312000

trusted library allocation

page read and write

30BA000

trusted library allocation

page read and write

310D000

trusted library allocation

page read and write

31F2000

trusted library allocation

page read and write

11CA000

trusted library allocation

page execute and read and write

53A5000

trusted library allocation

page read and write

32CA000

trusted library allocation

page read and write

5306000

trusted library allocation

page read and write

There are 345 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
file.exe