Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

j6OUc3S2uP.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	6.298054666584365
Filename:	j6OUc3S2uP.exe
Filesize:	983001
MD5:	d662387f9f11b665b70d14c19177b058
SHA1:	3aa3745a01043cecec79b49a29cdfff60265d519
SHA256:	ec7e4a2cfd34ceccca73309ac6862f233904b1ab888b7a903ee18ecaf0c65626
SHA512:	3bea71cee5f1a9bb94b9b01d3394b18a4a6a1b3e3e267f3fb11d3a9fe418364294fd906043031a64f6017a6e8f8dd5dfc85a11588209dda668fc8517d47c3508
SSDEEP:	12288:o+WbFkpXD7n1FDoPNUCobwMtFTUhqxDd1XK8:o+4i3nnDAUCobwQ3h1V
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Y............"...0.D:............... ....@...... ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_j6OUc3S2uP.exe_ec5336e1243d7bf75db30977b6a261e84eea9ad_ad983b20_5cee530d-8701-4278-8562-3cfde6cd09e4\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_j6OUc3S2uP.exe_ec5336e1243d7bf75db30977b6a261e84eea9ad_ad983b20_5cee530d-8701-4278-8562-3cfde6cd09e4\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.98719320412137
Encrypted:	false
Ssdeep:	192:e0sd+mT0UnU1aWh8UOzuiF5Z24lO8SKc:hdmAUnU1au8PzuiF5Y4lO8M
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC43.tmp.dmp

Mini DuMP crash report, 16 streams, Wed Jul 3 14:27:53 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC43.tmp.dmp
Category:	dropped
Dump:	WERBC43.tmp.dmp.6.dr
ID:	dr_1
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Wed Jul 3 14:27:53 2024, 0x1205a4 type
Entropy:	3.278691226775555
Encrypted:	false
Ssdeep:	3072:jidttQP7+d1T1CCqF3+vcw4Od5L6cqMcS9g9gIk4Bny:jidttcQqF3QcwTd52cj9gx
Size:	386195
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD9C.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD9C.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERBD9C.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7065111032866693
Encrypted:	false
Ssdeep:	192:R6l7wVeJ2Cy6Y2DtRQLZFXugmfdLdprg89bs6pcfXSYm:R6lXJLy6YARQ/XugmfdL9s6CfC9
Size:	8604
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDDB.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDDB.tmp.xml
Category:	dropped
Dump:	WERBDDB.tmp.xml.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.527883158121395
Encrypted:	false
Ssdeep:	48:cvIwWl8zsjJg771I9RmWpW8VYIYm8M4JpdbdYSDFKyq851dOLl9uXChdtYodtSFd:uIjf9I7un7V4JpNuqO9OChzYozSFd
Size:	4761
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log
Category:	dropped
Dump:	AddInProcess32.exe.log.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.353332853270839
Encrypted:	false
Ssdeep:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
Size:	1039
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.6.dr
ID:	dr_5
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.468984494981576
Encrypted:	false
Ssdeep:	6144:ozZfpi6ceLPx9skLmb0ffZWSP3aJG8nAgeiJRMMhA2zX4WABluuNdjDH5S:+ZHtfZWOKnMM6bFpPj4
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\j6OUc3S2uP.exe

"C:\Users\user\Desktop\j6OUc3S2uP.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5800
Target ID:	0
Parent PID:	4004
Name:	j6OUc3S2uP.exe
Path:	C:\Users\user\Desktop\j6OUc3S2uP.exe
Commandline:	"C:\Users\user\Desktop\j6OUc3S2uP.exe"
Size:	983001
MD5:	D662387F9F11B665B70D14C19177B058
Time:	10:27:51
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1d21f270000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Details

Is windows:	true
Is dropped:	false
PID:	1336
Target ID:	2
Parent PID:	5800
Name:	AddInProcess32.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Size:	43008
MD5:	9827FF3CDF4B83F9C86354606736CA9C
Time:	10:27:52
Date:	03/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x960000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2536
Target ID:	3
Parent PID:	5800
Name:	AddInProcess32.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Size:	43008
MD5:	9827FF3CDF4B83F9C86354606736CA9C
Time:	10:27:52
Date:	03/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5800 -s 1020

Details

Is windows:	true
Is dropped:	false
PID:	1292
Target ID:	6
Parent PID:	5800
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5800 -s 1020
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	10:27:53
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff604ed0000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2144
Target ID:	7
Parent PID:	1336
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	10:28:06
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6456
Target ID:	8
Parent PID:	2144
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:28:06
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Details

Is windows:	true
Is dropped:	false
PID:	2760
Target ID:	9
Parent PID:	2144
Name:	choice.exe
Path:	C:\Windows\SysWOW64\choice.exe
Commandline:	choice /C Y /N /D Y /T 3
Size:	28160
MD5:	FCE0E41C87DC4ABBE976998AD26C27E4
Time:	10:28:06
Date:	03/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x2b0000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://upx.sf.net

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

132.226.8.169

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://reallyfreegeoip.orgP

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

132.226.8.169

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

132.226.8.169

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

FileDirectory

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

ProgramId

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

FileId

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

LowerCaseLongPath

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

LongPathHash

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

Name

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

OriginalFileName

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

Publisher

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

Version

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

BinFileVersion

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

BinaryType

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

ProductName

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

ProductVersion

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

LinkDate

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

BinProductVersion

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

AppxPackageFullName

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

AppxPackageRelativeId

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

Size

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

Language

\REGISTRY\A\{f2614513-160b-220a-9f8e-3cb522b0b38e}\Root\InventoryApplicationFile\j6ouc3s2up.exe|3417ce135fca55c1

Usn

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

ApplicationFlags

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018000DDABBE6B3

There are 28 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1D22110B000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

1D2311C9000

trusted library allocation

page read and write

2C51000

trusted library allocation

page read and write

7FFD34590000

trusted library allocation

page read and write

E40000

heap

page read and write

2758000

heap

page read and write

6255000

heap

page read and write

2700000

heap

page read and write

2D4E000

trusted library allocation

page read and write

650E000

stack

page read and write

16EDFE000

stack

page read and write

2D92000

trusted library allocation

page read and write

F70000

trusted library allocation

page read and write

693C000

stack

page read and write

1D21F6E5000

heap

page read and write

1D21F675000

heap

page read and write

9FB000

stack

page read and write

64CE000

stack

page read and write

1D21F5E0000

trusted library section

page read and write

29CE000

stack

page read and write

29E0000

heap

page read and write

2C1C000

stack

page read and write

7FF48C190000

trusted library allocation

page execute and read and write

2DDC000

trusted library allocation

page read and write

FB0000

heap

page read and write

513E000

trusted library allocation

page read and write

2D4A000

trusted library allocation

page read and write

2DA6000

trusted library allocation

page read and write

668E000

stack

page read and write

2BCF000

heap

page read and write

FB8000

heap

page read and write

634D000

stack

page read and write

5134000

trusted library allocation

page read and write

2D10000

trusted library allocation

page read and write

F40000

trusted library allocation

page read and write

7FFD34729000

trusted library allocation

page read and write

1D21F42C000

heap

page read and write

1D2210C0000

heap

page execute and read and write

2D8E000

trusted library allocation

page read and write

3C79000

trusted library allocation

page read and write

697E000

stack

page read and write

E50000

heap

page read and write

12AE000

stack

page read and write

638E000

stack

page read and write

620F000

stack

page read and write

6268000

heap

page read and write

7FFD34710000

trusted library allocation

page read and write

2340000

heap

page read and write

2D56000

trusted library allocation

page read and write

7FFD34740000

trusted library allocation

page read and write

2D13000

trusted library allocation

page read and write

5D8E000

stack

page read and write

1D21F463000

heap

page read and write

1D2211B3000

trusted library allocation

page read and write

CF7000

stack

page read and write

56C0000

trusted library allocation

page read and write

1D2210F0000

trusted library allocation

page read and write

1D21F5A0000

trusted library allocation

page read and write

7FFD34574000

trusted library allocation

page read and write

16ECF3000

stack

page read and write

11AE000

stack

page read and write

274E000

stack

page read and write

5144000

trusted library allocation

page read and write

FDA000

heap

page read and write

1D2310D1000

trusted library allocation

page read and write

F80000

trusted library allocation

page read and write

7FFD3458D000

trusted library allocation

page execute and read and write

2870000

heap

page read and write

2750000

heap

page read and write

2A6F000

unkown

page read and write

610E000

stack

page read and write

1D21F670000

heap

page read and write

41CF000

stack

page read and write

7FFD3474E000

trusted library allocation

page read and write

7FFD34626000

trusted library allocation

page read and write

3C51000

trusted library allocation

page read and write

16F4FE000

stack

page read and write

56AE000

stack

page read and write

FE6000

heap

page read and write

5F8F000

stack

page read and write

683C000

stack

page read and write

1D21F4F9000

heap

page read and write

6A80000

heap

page read and write

2B6F000

stack

page read and write

4DEC000

stack

page read and write

7FFD34720000

trusted library allocation

page read and write

2850000

heap

page read and write

2C20000

trusted library allocation

page read and write

1D2312A3000

trusted library allocation

page read and write

2BCF000

heap

page read and write

2C40000

heap

page read and write

5180000

heap

page execute and read and write

658E000

stack

page read and write

F50000

heap

page read and write

7FFD345CC000

trusted library allocation

page execute and read and write

6BCE000

stack

page read and write

1D21F465000

heap

page read and write

5159000

trusted library allocation

page read and write

F82000

trusted library allocation

page read and write

16F1FC000

stack

page read and write

7FFD34573000

trusted library allocation

page execute and read and write

230D000

stack

page read and write

2DF8000

trusted library allocation

page read and write

2DA2000

trusted library allocation

page read and write

2E18000

trusted library allocation

page read and write

7FFD34570000

trusted library allocation

page read and write

1D21F300000

heap

page read and write

EE7000

heap

page read and write

566D000

stack

page read and write

2DCE000

trusted library allocation

page read and write

2A70000

trusted library allocation

page read and write

2D07000

trusted library allocation

page read and write

2B70000

heap

page read and write

7FFD3457D000

trusted library allocation

page execute and read and write

1D21F400000

heap

page read and write

7FFD34750000

trusted library allocation

page read and write

5165000

trusted library allocation

page read and write

1070000

heap

page read and write

298F000

stack

page read and write

2D52000

trusted library allocation

page read and write

7FFD34582000

trusted library allocation

page read and write

F97000

trusted library allocation

page execute and read and write

1D21F590000

trusted library allocation

page read and write

628B000

heap

page read and write

7FFD34724000

trusted library allocation

page read and write

1D21F4E0000

heap

page read and write

2CF3000

trusted library allocation

page read and write

2DB3000

trusted library allocation

page read and write

60CE000

stack

page read and write

2A80000

heap

page read and write

2C30000

trusted library allocation

page read and write

23CE000

unkown

page read and write

5E8F000

stack

page read and write

3C57000

trusted library allocation

page read and write

6210000

heap

page read and write

16F5FF000

stack

page read and write

F10000

heap

page read and write

7FFD34594000

trusted library allocation

page read and write

E9E000

stack

page read and write

1D21F270000

unkown

page readonly

273E000

stack

page read and write

5FCE000

stack

page read and write

109E000

heap

page read and write

1D2310D7000

trusted library allocation

page read and write

7FFD3462C000

trusted library allocation

page execute and read and write

2ADE000

stack

page read and write

51FE000

stack

page read and write

F8A000

trusted library allocation

page execute and read and write

2C26000

trusted library allocation

page read and write

6A7F000

stack

page read and write

27AC000

heap

page read and write

E55000

heap

page read and write

16F3FE000

stack

page read and write

F60000

trusted library allocation

page read and write

5156000

trusted library allocation

page read and write

1D21F491000

heap

page read and write

1D239100000

trusted library allocation

page read and write

7FFD3459D000

trusted library allocation

page execute and read and write

27A0000

heap

page read and write

7FFD34630000

trusted library allocation

page execute and read and write

1D21F272000

unkown

page readonly

52B0000

heap

page read and write

2E0A000

trusted library allocation

page read and write

1D21F420000

heap

page read and write

1D21F6E0000

heap

page read and write

7FFD34620000

trusted library allocation

page read and write

2BDE000

stack

page read and write

2380000

heap

page read and write

2D9E000

trusted library allocation

page read and write

7FFD3459B000

trusted library allocation

page execute and read and write

269C000

stack

page read and write

62A3000

heap

page read and write

16F0FF000

stack

page read and write

1D21F3E0000

heap

page read and write

63CE000

stack

page read and write

1D21F570000

trusted library allocation

page read and write

2A60000

trusted library allocation

page execute and read and write

2D96000

trusted library allocation

page read and write

16EFFF000

stack

page read and write

2D2B000

trusted library allocation

page read and write

2DFC000

trusted library allocation

page read and write

2DC1000

trusted library allocation

page read and write

2C80000

heap

page read and write

7FFD34580000

trusted library allocation

page read and write

562E000

stack

page read and write

7FFD34572000

trusted library allocation

page read and write

52C0000

heap

page read and write

1D21F5A3000

trusted library allocation

page read and write

1D21F501000

heap

page read and write

23D0000

heap

page read and write

2CFB000

trusted library allocation

page read and write

2D04000

trusted library allocation

page read and write

1D2210D1000

trusted library allocation

page read and write

1D220F90000

heap

page read and write

F64000

trusted library allocation

page read and write

7FFD34690000

trusted library allocation

page execute and read and write

F9B000

trusted library allocation

page execute and read and write

26FD000

stack

page read and write

2A50000

trusted library allocation

page read and write

F86000

trusted library allocation

page execute and read and write

623D000

heap

page read and write

D60000

heap

page read and write

7FFD34730000

trusted library allocation

page read and write

2A90000

heap

page execute and read and write

654E000

stack

page read and write

EE0000

heap

page read and write

F92000

trusted library allocation

page read and write

2D9A000

trusted library allocation

page read and write

1D21F44B000

heap

page read and write

5190000

trusted library allocation

page read and write

1D21F496000

heap

page read and write

F6D000

trusted library allocation

page execute and read and write

1D21F520000

heap

page read and write

1D2398D0000

heap

page read and write

6ACD000

stack

page read and write

2D42000

trusted library allocation

page read and write

1D21F4E8000

heap

page read and write

1D23139C000

trusted library allocation

page read and write

55EE000

stack

page read and write

7FFD34656000

trusted library allocation

page execute and read and write

265C000

stack

page read and write

EDD000

stack

page read and write

F63000

trusted library allocation

page execute and read and write

2D8A000

trusted library allocation

page read and write

6282000

heap

page read and write

6239000

heap

page read and write

1D221424000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

2D40000

trusted library allocation

page read and write

16EEFE000

stack

page read and write

1D21F5D0000

heap

page execute and read and write

27C3000

heap

page read and write

5151000

trusted library allocation

page read and write

7FFD34770000

trusted library allocation

page read and write

16F2FE000

stack

page read and write

7FFD34760000

trusted library allocation

page execute and read and write

There are 227 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
j6OUc3S2uP.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportj6OUc3S2uP.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
j6OUc3S2uP.exe