Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

6j8aA9Av1m.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.387890482082783
Filename:	6j8aA9Av1m.exe
Filesize:	12113157
MD5:	7854d2046ef23eb38604e65e7040060d
SHA1:	41d415a8344d5a45f21999ef4f84eb3c7c8fe0c6
SHA256:	15e32b17f962cfcdb50cb78d74179495b89aadd1c8174151a52cc1e481f4e7d7
SHA512:	b8579f7d5636997b806b124483dde89373d8f59192b2d7ee540439fc004ee60df4df2f442c8aff23e061b61cc2755aa51e811c80a3fc830507da32cd79b9f3e0
SSDEEP:	196608:cbQLsmUzjxbODbedh49KRAg+89tvjXV9nHTDa:cbAUsWdlRT+wtrXzzO
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\vmdeeo

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\vmdeeo
Category:	dropped
Dump:	vmdeeo.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\SysWOW64\more.com
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.4982216030674
Encrypted:	false
Ssdeep:	12288:Hj98bKozHw6UGa0WPp7XlcoMGXidheK7t5kMT:mHwBhBbMUi2IkU
Size:	442880
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Amadeys Clipper DLL	Stealing of Sensitive Information
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_comet.exe_e7bbc681222a1d73b6cf42d9a745c217a33551_d4022333_2af78d45-b336-44bd-b51b-a65038fcd7b2\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_comet.exe_e7bbc681222a1d73b6cf42d9a745c217a33551_d4022333_2af78d45-b336-44bd-b51b-a65038fcd7b2\Report.wer
Category:	dropped
Dump:	Report.wer.13.dr
ID:	dr_6
Target ID:	13
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.877461969432605
Encrypted:	false
Ssdeep:	96:qaFem8JlaKgsF4LXKWfxhQXIDcQtc6JXcENcw3nG+HbHgA5JHQbaVDPCEUjUg9OK:xDYgKgu0Tt3zXjDRMzuiFGZ24IO8aC
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER44D3.tmp.dmp

Mini DuMP crash report, 15 streams, Tue Mar 25 13:48:34 2025, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER44D3.tmp.dmp
Category:	dropped
Dump:	WER44D3.tmp.dmp.13.dr
ID:	dr_3
Target ID:	13
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Tue Mar 25 13:48:34 2025, 0x1205a4 type
Entropy:	2.0970052046760848
Encrypted:	false
Ssdeep:	192:mOs/y08XAdsIbu1O5dI4kAQeV+KCT4UltzTRrOE10wMo:RWRsIdDI4kAQzbLOi
Size:	44346
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4580.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4580.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER4580.tmp.WERInternalMetadata.xml.13.dr
ID:	dr_4
Target ID:	13
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7183174616737427
Encrypted:	false
Ssdeep:	96:RSIU6o7wVetbvD6e8CYN0VOLhP855aM4Ur89bKQsfdPPGm:R6l7wVeJvD6eRYCkhOprr89bKQsfNOm
Size:	6272
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER45C0.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER45C0.tmp.xml
Category:	dropped
Dump:	WER45C0.tmp.xml.13.dr
ID:	dr_5
Target ID:	13
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.444261178613496
Encrypted:	false
Ssdeep:	48:cvIwWl8zsoJg77aI9UfWpW8VYNYm8M4JngFe+q80cjw3nqeid:uIjfuI7yO7VRJzGjw3qeid
Size:	4625
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\b86f9b50

PNG image data, 2688 x 523, 8-bit/color RGB, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\b86f9b50
Category:	dropped
Dump:	b86f9b50.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\6j8aA9Av1m.exe
Type:	PNG image data, 2688 x 523, 8-bit/color RGB, non-interlaced
Entropy:	7.995473296971856
Encrypted:	true
Ssdeep:	24576:/s+ZOY+hto8bOn9Vb7RQnI/Itr0Qf/ZUMPZb6g5OH9xJ9WFi6M:Z+htxbOn9Vb7RQnd0G/Zb569xJJH
Size:	1167079
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\b8c90cd5

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\b8c90cd5
Category:	dropped
Dump:	b8c90cd5.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\6j8aA9Av1m.exe
Type:	data
Entropy:	7.617986648680805
Encrypted:	false
Ssdeep:	24576:oFKdIT1wVHJQBepaKj+Uf38ic6Vv2QUFzfrWAyMLkeLy6MfTOBEsPQ+0ilsgcZi:0Kd+1wVHJQBepaKyUP8H6VOzfrWOkIyQ
Size:	1174134
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\6j8aA9Av1m.exe

"C:\Users\user\Desktop\6j8aA9Av1m.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7624
Target ID:	0
Parent PID:	3964
Name:	6j8aA9Av1m.exe
Path:	C:\Users\user\Desktop\6j8aA9Av1m.exe
Commandline:	"C:\Users\user\Desktop\6j8aA9Av1m.exe"
Size:	12113157
MD5:	7854D2046EF23EB38604E65E7040060D
Time:	09:48:25
Date:	25/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	8548352
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\more.com

Details

Is windows:	true
Is dropped:	false
PID:	7696
Target ID:	1
Parent PID:	7624
Name:	more.com
Path:	C:\Windows\SysWOW64\more.com
Commandline:	C:\Windows\SysWOW64\more.com
Size:	24576
MD5:	03805AE7E8CBC07840108F5C80CF4973
Time:	09:48:26
Date:	25/03/2025
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xf50000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Amadeys Clipper DLL	Stealing of Sensitive Information
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\explorer.exe

Details

Is windows:	true
Is dropped:	false
PID:	7264
Target ID:	10
Parent PID:	7696
Name:	explorer.exe
Class:	explorer
Path:	C:\Windows\SysWOW64\explorer.exe
Commandline:	C:\Windows\SysWOW64\explorer.exe
Size:	4514184
MD5:	DD6597597673F72E10C9DE7901FBA0A8
Time:	09:48:33
Date:	25/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe30000
Modulesize:	4493312
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Amadeys Clipper DLL	Stealing of Sensitive Information
Contains functionality to start a terminal service	Remote Access Functionality	Remote Desktop Protocol
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Launches a second explorer.exe instance	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7704
Target ID:	2
Parent PID:	7696
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:48:26
Date:	25/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff62fc20000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\ancar\comet.exe

Details

Is windows:	true
Is dropped:	false
PID:	7180
Target ID:	9
Parent PID:	1048
Name:	comet.exe
Path:	C:\Users\user\AppData\Roaming\ancar\comet.exe
Commandline:	C:\Users\user\AppData\Roaming\ancar\comet.exe
Size:	12113157
MD5:	7854D2046EF23EB38604E65E7040060D
Time:	09:48:32
Date:	25/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	8548352
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7180 -s 600

Details

Is windows:	true
Is dropped:	false
PID:	7356
Target ID:	13
Parent PID:	7180
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7180 -s 600
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	09:48:33
Date:	25/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xa60000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://62.60.226.15/8fj482jd9/index.php

62.60.226.15

http://vovsoft.com/blog/how-to-activate-using-license-key/openU

unknown

http://62.60.226.15/

unknown

http://62.60.226.15/8fj482jd9/index.phpT

unknown

http://www.vmware.com/0

unknown

http://vovsoft.com

unknown

http://62.60.226.15/8fj482jd9/index.phpJ%4

unknown

http://www.aiim.org/pdfa/ns/id/

unknown

https://vovsoft.com/translation/

unknown

https://vovsoft.com/php/ocr_download.php?lang=

unknown

http://www.vmware.com/0/

unknown

http://vovsoft.com/help/

unknown

http://vovsoft.comopenU

unknown

http://www.indyproject.org/

unknown

http://vovsoft.comopenS

unknown

http://www.symauth.com/cps0(

unknown

http://www.color.org

unknown

http://62.60.226.15/8fj482jd9/index.php7

unknown

http://62.60.226.15/8fj482jd9/index.php:&

unknown

http://62.60.226.15/8fj482jd9/index.phpw

unknown

https://vovsoft.com/blog/credits-and-acknowledgements/open

unknown

http://vovsoft.com/

unknown

http://62.60.226.15/8fj482jd9/index.phpu

unknown

http://www.symauth.com/rpa00

unknown

http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/openU

unknown

https://vovsoft.com/translation/openU

unknown

http://www.info-zip.org/

unknown

https://www.google.com/search?q=openSV

unknown

http://62.60.226.15/8fj482jd9/index.php_

unknown

http://62.60.226.15/8fj482jd9/index.phpP%2

unknown

http://62.60.226.15/8fj482jd9/index.php(&

unknown

http://vovsoft.com/openU

unknown

There are 22 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

62.60.226.15

unknown

Iran (ISLAMIC Republic Of)

Details

IP:	62.60.226.15
TargetID:	10
Current Path:	C:\Windows\SysWOW64\explorer.exe
Country:	Iran (ISLAMIC Republic Of)
Countrycode:	IRN
ASN number:	18013
ASN name:	ASLINE-AS-APASLINELIMITEDHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

00184012D1FD5612

Details

TargetID:	13
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
Value name:	00184012D1FD5612
Value data:	01 00 00 00 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 28 35 6A 1C FA D5 32 49 99 61 6F 2F 74 A5 F5 43 00 00 00 00 02 00 00 00 00 00 10 66 00 00 00 01 00 00 20 00 00 00 29 F8 34 C0 63 B8 CB 7A A4 5E 53 8B 6E 33 C0 A7 A0 73 BE ED A3 48 96 2E C3 2E 29 19 1C D8 31 A2 00 00 00 00 0E 80 00 00 00 02 00 00 20 00 00 00 7C 63 11 87 13 6E D1 C3 0F 26 73 BC 58 8B D7 97 22 58 2D C0 7C 99 35 68 D8 29 C5 27 EE 99 5B 83 80 00 00 00 0D 59 F3 E7 FB 28 95 1D 04 5C FF E5 04 37 D4 F7 AD 9F 2F D2 6A 1A AC C3 FC A4 B3 3E 6B 86 05 AB 71 EF 81 1D 50 81 B0 7C 36 3A 5B CA 42 05 E5 26 04 96 CF 6F C9 7D 8E FE 63 C1 43 24 F0 FA F8 9A 02 88 CD 99 44 E0 88 12 E1 DD 5D B6 DB F6 D2 1D 16 2F 2E 3A 74 C4 7B BB F1 4E D4 65 82 BB AE D9 2C 7D 5C B4 52 B1 A0 A8 2F 13 D3 9B 76 66 54 47 93 E7 C3 99 D8 F2 A3 5E BB BA 42 0E CC A4 46 00 40 00 00 00 0E D6 80 F7 13 F3 AB CD 95 82 CE 06 A3 15 DF 81 7C 12 5D 0C BF F7 94 32 3D 1E 02 4C 54 4A 7B 07 E8 C9 C6 9D A2 BF DD E5 24 50 63 A2 04 6A E7 DC 53 EB C0 84 71 15 3B D2 C2 73 FE F9 47 EE DB 66

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

Details

TargetID:	13
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Value name:	DeviceTicket
Value data:	01 00 00 00 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 28 35 6A 1C FA D5 32 49 99 61 6F 2F 74 A5 F5 43 00 00 00 00 02 00 00 00 00 00 10 66 00 00 00 01 00 00 20 00 00 00 70 24 9A 65 B8 84 9D 01 FB E6 3A 97 B2 E0 ED AC 04 F1 5F 2F EA BA 46 44 FD DB B2 FA 22 79 C8 64 00 00 00 00 0E 80 00 00 00 02 00 00 20 00 00 00 67 51 48 DB AA D3 85 50 B7 6D 74 8B 15 64 15 8E 59 D9 71 56 DA B4 66 15 CB 03 3E 1C F1 A6 E3 1B 70 0A 00 00 46 AD 9D DB 9F 91 62 39 47 51 78 EB D7 5D F8 A4 EC 23 61 43 58 20 B8 74 13 EA 84 65 94 63 FF B8 72 11 45 BF 4B B5 B7 7B 93 0D B8 BD C1 06 7A 26 CA 99 3F 37 02 B2 21 E9 EF D1 E4 64 D7 08 36 ED 9A 78 42 08 E5 A0 BB D1 4C B9 6A D9 6D 29 C5 9D 71 2E 50 FA A5 F3 34 9E 78 16 CC 94 48 B4 4E 39 B2 E2 71 7D 17 BB 95 36 1C F4 41 87 46 14 6C 24 75 A4 4E 9A C9 88 09 AB 50 D8 CB DA 47 BA C3 BD F6 E5 B2 AB 7E 7F 7D A8 E6 02 82 D7 6E 8B E0 DB CC D6 63 8D 75 F0 0F 85 7D BB 98 8B CA 08 3E B2 B1 40 8A 3C 2B 54 86 FB 61 81 B2 15 F0 60 C7 40 C4 30 24 E7 E2 61 63 1E 7D F2 0A 41 67 83 3E A4 03 AF 64 F0 16 83 82 E3 E4 02 A9 36 70 4C 61 43 67 C6 27 18 5E 95 51 99 51 F6 21 D9 62 D5 2E 8E 21 3F D9 FC BA 1B C6 35 94 D1 28 E4 91 5E C0 3F 12 54 FF 70 53 18 F0 A3 F0 6B 5C 28 94 16 1E 5F 7B 1F EA 16 6A E8 67 2C E7 6E 2F 28 B7 FA F5 45 DB 5B 2A E1 B8 C1 47 A9 2C 49 5E 2F 5D D8 AA DD 3A 09 FE 9C C2 B3 D2 4F 91 6B 39 E3 4F DC 66 F2 BB 95 7F 5F D9 10 2A 8B 2F 7E 44 73 98 2F C9 CB F7 F7 30 89 D1 F7 51 94 68 03 1D D4 38 13 EF F1 9F ED 86 07 CA 59 24 9F A0 40 DE 98 39 74 3D 1A CA 0C 47 B0 97 15 DA BA 51 98 69 75 E2 39 09 69 39 05 DF D0 C9 00 24 18 DE 30 EB E3 F0 87 F4 28 B0 00 F0 20 6C FB 73 4C 5E F6 D7 46 29 AD 0F 90 42 3A 99 62 59 38 62 49 E8 19 E2 44 BE 7A C3 5B BE 28 0F 23 95 85 94 18 EE 6D F6 8E 78 7B 26 A9 79 43 20 4F 2F EB B8 31 F6 80 3C 22 83 65 E3 63 07 98 A6 EB 9F 5E 9E 74 3C F0 13 3E C4 CA F8 65 DB 35 D3 C6 A6 3E F4 8E 71 E9 57 1B 6B E0 D8 2F 0B 86 88 28 28 49 55 90 83 A9 13 78 BD 45 B1 2B 4E FA 8E 62 F7 9E 11 53 DD B7 99 93 EA CD EA 0D 66 F3 9E A8 28 4A 5C 0B 54 D5 F6 3B 53 E1 46 FD E9 45 DF E5 00 3B 16 AD 18 83 26 1F C7 08 DC 89 82 91 90 35 B5 56 63 DB EC 70 AD 6F 88 16 22 94 E5 0A 83 54 AF B6 F2 BD FD 00 AC C0 DD 72 A1 C9 16 00 14 20 12 F8 0F F5 B9 6A D1 EC 88 97 F0 05 CD 30 D9 A4 92 87 29 93 78 72 27 88 03 3A 1E F9 FD 3C 7B 13 F0 22 A9 71 C3 79 54 9E 20 F3 06 3F 43 2B F0 E5 EA 7B 9B 59 0D C2 EC 53 78 75 6E 4F 9F 5B 77 02 91 C2 E2 18 04 0A BC 8E 8D 00 36 ED 81 54 77 53 27 C2 F7 19 C6 AB C5 C9 9D 92 98 3A F2 A5 B5 0D 37 6E B6 59 DC 09 ED FC AA 4C B7 6D 07 58 94 1C 38 9C 5B DE 80 58 38 60 DA F9 03 D7 3B EB 29 72 B3 C8 52 7A 2D CA BB C1 FB D4 BE F7 91 09 1C 89 49 F3 29 88 38 86 4C F5 E2 67 E1 D3 A1 07 DC 15 58 89 4E F6 74 98 33 98 BA 77 49 4F C2 05 D0 D5 8C 3E A9 79 E5 9B 32 C7 09 75 20 D4 98 39 A3 81 A9 95 15 2C 9C 42 C3 B9 24 28 7E 24 F1 13 20 86 3D E3 8C 0E 51 29 EB B7 14 E6 30 F7 0F 50 70 AB CB 8C 41 72 B1 C9 5D 04 AC E3 20 6A 7B 7C 46 D7 71 33 AD EE 85 F0 C2 23 7A 63 BF 2D 4C C9 E6 EC BA B7 3F 49 1C 90 DF 9E 75 16 BD 69 1B 02 F9 53 19 E8 2B CA 31 D1 74 8E D9 B9 42 0D 0C 1D 90 C6 73 C4 29 47 51 18 63 82 3D 17 E5 AA 00 61 A4 1A 1D 85 1D 8E 18 3F CC C5 13 D7 FC 69 CA FB 62 9B 6E 76 84 6A 79 DB 95 13 84 9F 94 97 F9 A3 08 65 07 A8 DE 9D AB 31 48 55 88 52 0E 88 10 AF 81 1D E3 A0 6D 28 6D D9 63 C6 9D 4E 60 1B DD 4E 1E 08 49 1F CB CF A1 B8 FF 4D 44 89 B4 91 8B 94 D9 56 E5 F1 28 64 F9 4B 37 B9 99 6E EA 13 51 54 73 97 19 B3 8B F9 03 FD 1C 40 84 FD 97 9D 4A 20 C5 3A 87 45 04 EE 89 D2 2D C7 E1 51 FF 7D FB D2 E6 55 3D B5 0F FD 4C A0 81 AD 17 81 7B 32 94 D1 F5 F8 ED D9 03 A1 10 16 3F 07 8A 00 54 1F 4F 96 46 2A 2D 0D D7 89 E0 AC 78 A0 C8 96 BE A9 85 78 0E D7 F1 96 58 BE ED B3 E6 68 4E 7B E1 73 12 E1 F6 4A 52 B3 7B 7F DB 0D 1D 4E D7 1C C7 BA 71 40 39 50 0C 9A 70 5A 02 1D 12 43 38 B2 60 8F 2C 11 A0 00 F2 6B 2B 2D F2 BC 67 D4 04 9C 53 E4 9F D5 BB 7A B8 A9 DD C7 A0 A7 1C F8 87 C6 A7 40 41 0C 2C 5B 5C 23 9F 75 B3 C1 D3 5F 0D 93 18 C1 85 17 CA 21 77 59 4A 58 ED 4E F0 3F 34 56 B0 74 0A 0B 57 F5 7E 5B 80 18 E1 E1 B9 21 AE 73 4D 72 E5 D8 AE 51 58 31 63 5B D6 A3 3D 8D 19 45 67 E4 D5 51 41 FA 88 24 54 0B E7 98 B7 B8 BB 69 DA D2 CC DC 0C 80 F9 7E 13 86 71 35 73 FF 03 F4 99 F1 22 8D 78 5E E1 38 A7 C1 2D 9F 81 E6 32 D6 7E EE BC F9 CE DA 1D 3B 10 FC 62 03 C3 9A 3B 46 F3 4E 34 EE BE 79 5E 38 CF D8 4F 65 40 40 FD F2 EE 73 C6 0F C0 B2 B6 2C DF D3 45 3B 73 4E FA 3E F5 30 CD C2 46 9D 60 9B 43 A8 4E 7C 2F 73 56 AA 53 70 BC 81 DA 45 E1 C9 19 59 0F 52 72 D2 24 AF 00 75 05 53 89 BF 93 96 3D 79 12 CD 03 14 67 77 75 94 96 95 3A 3C 5B 05 18 94 6B 33 E5 49 0D 11 8A 83 BB 8B 2C 58 0D 00 18 CC CC 13 C6 AB FB C1 A3 66 FF E7 07 60 26 9F B5 08 F2 B3 86 72 06 09 A4 86 5B 57 C0 C9 2B 76 AF A7 DD C9 6C DF 3A 2D 35 AD 4A BD 98 24 05 D7 81 F7 3B 1C 0C 5C C1 16 FD FF D2 D4 ED 7E FF 94 89 39 07 18 12 9F 12 73 A3 A6 E3 13 9A 36 78 3A 26 01 04 5E 07 C9 F5 B6 43 FF 83 94 13 22 C8 1E 95 7B 4A DA CD F4 43 EB B6 8D CD 8F 89 36 2B 0B 84 E6 7D 3B 50 BA BA 2F 20 BA 24 8E 90 E6 22 17 1E E0 B6 17 94 42 55 95 CE B4 54 68 BE BD 57 24 94 73 71 87 50 54 1F E4 B2 38 F4 63 CB A0 DE 31 9B E1 3B 87 48 68 50 B2 BD 0B AF 6B AB 24 D9 19 B9 3A 18 F2 3E 31 A4 A6 AD F2 67 C2 EB C7 0F 3F EE 1C 89 DD FD 81 0F F8 D5 51 1B 5B 9D F9 FD 60 10 B9 AC 78 35 3A 73 5C 63 A5 C4 55 C8 92 B9 A2 AD 16 1B 4B 6C 35 07 DB 55 A9 0E 1F D2 59 8F BA D0 54 6D 70 24 B8 54 F6 55 58 0F D4 65 ED 83 D9 B6 8F DC 11 D6 14 70 81 B2 85 12 56 94 27 11 8A 11 7B 70 7F E2 CB 8F 29 77 A1 C5 5D 0F 65 49 DB FE 48 0D 69 C0 77 B9 EE DA 6F BA 90 9E 58 2A 3F F0 9D 2E 4F 8F 5D 97 C1 A2 05 42 C0 A8 B1 7E 17 F3 03 37 E7 F7 5C CB 7B A5 D7 65 13 14 FB 1C 85 AE 21 4B A1 70 29 61 13 0A 18 B8 A9 70 B9 2E B3 AB 26 28 C7 4D EE 58 6B E9 48 F3 45 AD 97 BA BD 7D C5 B6 4B 00 C3 94 A5 7E 1F C8 F4 01 9D 3B A9 5B 8F E9 64 14 D0 F3 7A F4 99 30 50 02 C2 C7 05 1F A0 0A AA AF 89 F0 96 44 D7 E2 0B 2A DC B4 6B 7A 10 43 F1 58 D1 B8 5C FA A7 65 60 A8 1E BA DB E2 55 17 C3 87 B2 CC F1 E1 6A 0B A8 5C 89 0E 4F EB 51 01 03 86 B7 60 F8 81 B4 5D C9 3D 40 39 4D AF 63 DC AC 0F E3 73 72 BC B0 C9 00 4E 58 7D BF 75 3C 4E A0 DA AC A8 2F 41 43 CD 76 F5 D2 01 0B 6B 02 AB 5F FD 4F 13 AD 6C 9D 05 4C F8 26 5B 34 E0 63 C5 17 DC 8D CF 49 ED 6F 6B 96 2F 2F DB 43 65 FB CB 80 71 3C F5 FC 7F 9F 29 66 90 07 2C E6 FC 06 54 88 D6 E4 0F 4D 2B 7B 2D 8F C6 05 B5 E6 92 27 21 D8 B6 67 85 19 A9 B8 25 FE 88 87 CD 06 FC A3 A6 E6 7F 72 87 A8 EB 0A 23 A4 54 A8 8A BE D5 1A 5F 11 C8 3A CD 76 62 B6 BF 81 CC 88 D7 56 16 E4 E5 7E 89 59 41 F4 B6 98 FC B3 C2 ED 27 D4 CF 54 B5 57 B2 A1 A8 98 77 F0 56 4B 0B 04 1D C9 1B C1 3D F9 49 AE 60 CC 57 8F EF 17 DA 91 57 01 ED 92 98 8F 76 30 01 35 0D 30 84 D1 D2 22 BF 3E 36 FE 22 E4 06 F0 48 DF 17 E3 24 98 8C 1D FE CA 5C A3 09 EB C7 FA 23 07 AD 13 82 B8 77 5F AD 27 03 9B 0F EB 78 D1 CD 30 09 32 CA 48 3F C8 6E 03 D4 9D A0 57 8A A8 83 55 8C 13 24 FA 45 C0 E9 A8 E2 AA DC 3A 84 84 3F 3B 81 A8 A3 70 54 3E 82 57 77 82 AC 8E B6 08 A6 FF C3 C7 8A 47 89 E1 9E 06 82 5D 73 2D 5B 6A D4 5E 9B AE 2D 1A 47 3B 57 91 61 02 F4 34 BD 53 4A 42 5D 95 2C B9 1D BB B1 94 B5 90 3E 82 0B 5C 72 28 A4 89 BF 6A 6D 3F E7 19 E7 44 A2 87 06 5C AF 47 EE B6 C3 EE FA 81 15 5E AB 83 03 EE 5D DF CA 49 2D 8D D3 8B 21 B9 5A D2 BA 8E 0C EA CE 23 9A EE 63 69 5F 0A 6F AD BC 60 4E 82 04 EC 9C 8A 03 C4 32 18 A0 CB 07 35 17 15 42 1B EB 4A BB E9 86 03 53 EA D3 D0 20 C3 43 BE 2A 31 38 5B 64 03 7C 5B FE DB 68 E6 52 78 33 9A 0F 58 4B 1F 5F DE F6 33 E6 11 B6 9C 41 EB DC 94 D5 D5 66 DA F7 A6 30 05 00 8B F2 A6 CF 88 9B 96 84 25 2A 60 DA 90 EC 69 34 89 11 F6 72 3C 6C 29 12 27 52 84 38 C8 C6 78 A7 0C 67 DB AD 8D BC 32 F3 C0 B7 23 CD 38 1C 0E D4 DA 3F 84 24 42 4E 3A 99 6E 8C EC B1 1E 24 22 72 F9 2F C6 94 50 35 19 58 5E 29 86 20 52 B9 22 D7 D1 FF AE FD 83 FB A9 48 C9 C9 BA 6C 92 66 C6 D7 66 75 3B 08 5B F2 C7 51 39 F9 9D 1A 3D 08 DD 6F D8 4E 37 8D 75 62 D6 7A 84 BA FD DF F7 7E C1 F4 0D DA FE 8C 5D C0 D5 71 AD 43 5D E3 FA 24 F4 08 C3 B3 09 5E 02 FF 6F C0 1A 96 C5 9B 32 26 76 D3 B9 5D 8E E8 5F E8 8C 35 E6 DA 06 3A 4C E9 1C 25 9D B8 AE 7A C7 4A 97 29 B0 0C 19 53 88 5B F4 B7 BB 07 64 17 3A 35 AB 15 E7 28 EF AC 08 53 3C DE 1B D7 81 69 D5 2F 0C 56 7A E6 49 EA 01 4A A3 5C 92 A5 E0 98 DB C5 61 59 01 BF E0 73 A7 3A F4 28 F0 DF A8 56 6D 23 D6 1A 03 29 44 1A BB 77 23 52 99 82 1F 79 F5 81 5C 7F E9 DD A3 B4 B3 72 1C FC 1F 4E 10 96 9C 5A 18 43 92 CC D4 86 FD D9 E0 9B 41 D0 A7 F7 96 AB 6C 0D FA 77 E1 E2 A5 4F EA B3 2D 7E 72 F5 36 0C BE 94 CD 6D 5B 61 24 E0 C3 41 07 E1 01 57 20 EF C3 E9 F9 C9 7D A8 7F 2D E6 C4 4B 53 F9 7F DF 5A D0 E3 6A 20 DE 43 6E 3C D1 30 89 5A 57 78 C7 42 6A 97 D4 DF 4B 71 81 C0 09 15 1E 40 00 00 00 5E 72 67 57 AC 46 22 4C 24 32 81 5F 24 6C 75 6D 61 DC 9E 85 6A D6 79 C0 8C 0E FC A1 DB 90 54 34 3A 88 31 1C FF DC 3C 26 2D 8C A6 C5 87 A4 B2 74 F5 92 D0 60 27 DA DE 49 A9 3F CD A9 94 46 15 E1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

59E0000

direct allocation

page read and write

36D2000

heap

page read and write

E1A000

heap

page read and write

E22000

heap

page read and write

29FD000

direct allocation

page read and write

9B5000

unkown

page readonly

98B000

unkown

page read and write

57F9000

direct allocation

page read and write

56D0000

direct allocation

page read and write

36EF000

heap

page read and write

3600000

heap

page read and write

29B1000

direct allocation

page read and write

3785000

heap

page read and write

E15000

heap

page read and write

B81000

unkown

page readonly

BC2000

unkown

page readonly

2A01000

direct allocation

page read and write

323F000

stack

page read and write

58EE000

stack

page read and write

2FF4000

heap

page read and write

95B000

unkown

page read and write

E26000

heap

page read and write

402B000

heap

page read and write

3037000

heap

page read and write

4FC0000

direct allocation

page read and write

5254000

trusted library allocation

page read and write

10F0000

heap

page read and write

4C53000

heap

page read and write

1126000

heap

page read and write

338E000

heap

page read and write

29FA000

direct allocation

page read and write

C30000

heap

page read and write

E26000

heap

page read and write

95B000

unkown

page read and write

2D4E000

stack

page read and write

2FF4000

heap

page read and write

333E000

stack

page read and write

46B3000

heap

page read and write

BFB000

unkown

page readonly

3780000

heap

page read and write

520C000

trusted library allocation

page read and write

5EFD000

stack

page read and write

5330000

trusted library allocation

page read and write

2F9F000

stack

page read and write

334D000

stack

page read and write

19A000

stack

page read and write

E3F000

heap

page read and write

2A7A000

direct allocation

page read and write

9B000

stack

page read and write

55CA000

unkown

page read and write

5AFB000

stack

page read and write

95D000

unkown

page read and write

2FF4000

heap

page read and write

5119000

trusted library allocation

page read and write

769000

unkown

page execute read

2A73000

direct allocation

page read and write

D35000

heap

page read and write

3700000

heap

page read and write

E28000

heap

page read and write

5330000

unkown

page read and write

3750000

heap

page read and write

5ABC000

stack

page read and write

3FE4000

heap

page read and write

4480000

heap

page read and write

E25000

heap

page read and write

61BE000

stack

page read and write

4420000

heap

page read and write

F3D000

heap

page read and write

2A38000

direct allocation

page read and write

2A22000

direct allocation

page read and write

2FF4000

heap

page read and write

29C8000

direct allocation

page read and write

33B0000

heap

page read and write

401C000

heap

page read and write

E19000

heap

page read and write

29EC000

direct allocation

page read and write

36E6000

heap

page read and write

E0F000

heap

page read and write

29AA000

direct allocation

page read and write

F4E000

stack

page read and write

2FF4000

heap

page read and write

47E0000

heap

page read and write

2A6C000

direct allocation

page read and write

D7E000

stack

page read and write

E40000

heap

page read and write

F00000

heap

page read and write

FEF000

stack

page read and write

2FF4000

heap

page read and write

2FF4000

heap

page read and write

95B000

unkown

page write copy

F06000

heap

page read and write

2A56000

direct allocation

page read and write

2FF0000

heap

page read and write

2FF4000

heap

page read and write

D10000

heap

page read and write

2C30000

heap

page read and write

11A0000

heap

page read and write

592F000

stack

page read and write

E2D000

heap

page read and write

4E9E000

trusted library allocation

page read and write

596E000

stack

page read and write

4484000

heap

page read and write

47BF000

heap

page read and write

962000

unkown

page read and write

2A4F000

direct allocation

page read and write

2FF4000

heap

page read and write

2FF4000

heap

page read and write

2A88000

direct allocation

page read and write

2FDE000

stack

page read and write

298D000

direct allocation

page read and write

29F3000

direct allocation

page read and write

29D6000

direct allocation

page read and write

BA3000

unkown

page write copy

B9D000

unkown

page readonly

2A7E000

stack

page read and write

DF8000

heap

page read and write

C80000

heap

page read and write

2FF4000

heap

page read and write

613D000

stack

page read and write

C07000

unkown

page readonly

2FF4000

heap

page read and write

330C000

stack

page read and write

2D80000

heap

page read and write

E15000

heap

page read and write

29B8000

direct allocation

page read and write

2D83000

heap

page read and write

2FF4000

heap

page read and write

2FF4000

heap

page read and write

E1E000

heap

page read and write

2FF4000

heap

page read and write

1110000

heap

page read and write

9B0000

unkown

page read and write

9B7000

unkown

page readonly

4029000

heap

page read and write

10EF000

stack

page read and write

2C20000

direct allocation

page execute and read and write

CB0000

heap

page read and write

518E000

trusted library allocation

page read and write

2C10000

heap

page read and write

2FF4000

heap

page read and write

36E6000

heap

page read and write

FDE000

stack

page read and write

E48000

heap

page read and write

B31000

unkown

page execute read

9B0000

unkown

page write copy

515E000

direct allocation

page read and write

2D0F000

stack

page read and write

9B4000

unkown

page read and write

E21000

heap

page read and write

EA8000

heap

page read and write

2FF4000

heap

page read and write

2FF4000

heap

page read and write

3000000

direct allocation

page read and write

3030000

heap

page read and write

D30000

heap

page read and write

4034000

heap

page read and write

29E4000

direct allocation

page read and write

5370000

unkown

page read and write

2FF4000

heap

page read and write

586E000

direct allocation

page read and write

2FF4000

heap

page read and write

2A0D000

direct allocation

page read and write

5FFE000

stack

page read and write

4E40000

trusted library allocation

page read and write

2A81000

direct allocation

page read and write

E48000

heap

page read and write

3680000

heap

page read and write

2FF4000

heap

page read and write

625E000

stack

page read and write

EA0000

heap

page read and write

C30000

heap

page read and write

10DF000

stack

page read and write

549D000

heap

page read and write

2A31000

direct allocation

page read and write

2FF4000

heap

page read and write

2A64000

direct allocation

page read and write

2A08000

direct allocation

page read and write

3380000

heap

page read and write

337F000

stack

page read and write

974000

unkown

page write copy

29A2000

direct allocation

page read and write

4590000

unkown

page read and write

4B30000

heap

page read and write

2FF4000

heap

page read and write

53AE000

unkown

page read and write

4EE6000

trusted library allocation

page read and write

5371000

unkown

page read and write

5470000

unkown

page read and write

50E9000

direct allocation

page read and write

57FD000

direct allocation

page read and write

36D5000

heap

page read and write

537A000

heap

page read and write

E9C000

stack

page read and write

76E000

unkown

page execute read

29DD000

direct allocation

page read and write

C0A000

unkown

page readonly

2FF4000

heap

page read and write

19D000

stack

page read and write

2FE0000

heap

page read and write

1120000

heap

page read and write

9B4000

unkown

page read and write

29EF000

direct allocation

page read and write

4AB1000

heap

page read and write

5655000

unkown

page read and write

441C000

stack

page read and write

4A2F000

heap

page read and write

E2A000

heap

page read and write

2FF4000

heap

page read and write

569D000

unkown

page read and write

2A48000

direct allocation

page read and write

98B000

unkown

page read and write

2FF4000

heap

page read and write

BF6000

unkown

page readonly

2984000

direct allocation

page read and write

59B0000

unkown

page read and write

3700000

heap

page read and write

2A5D000

direct allocation

page read and write

9A000

stack

page read and write

95D000

unkown

page read and write

603D000

stack

page read and write

11A9000

heap

page read and write

2FF4000

heap

page read and write

986000

unkown

page read and write

398F000

stack

page read and write

48E2000

heap

page read and write

4017000

heap

page read and write

303C000

heap

page read and write

5471000

unkown

page read and write

5371000

unkown

page read and write

C7E000

stack

page read and write

50ED000

direct allocation

page read and write

1120000

heap

page read and write

3703000

heap

page read and write

C11000

unkown

page readonly

5550000

unkown

page read and write

11A5000

heap

page read and write

986000

unkown

page read and write

2FF4000

heap

page read and write

635E000

stack

page read and write

E19000

heap

page read and write

2C33000

heap

page read and write

DF0000

heap

page read and write

3688000

heap

page read and write

401000

unkown

page execute read

E32000

heap

page read and write

E7F000

stack

page read and write

29CF000

direct allocation

page read and write

61FF000

stack

page read and write

5360000

heap

page read and write

DCE000

stack

page read and write

511D000

trusted library allocation

page read and write

2FF4000

heap

page read and write

2FF4000

heap

page read and write

4032000

heap

page read and write

2FF4000

heap

page read and write

400000

unkown

page readonly

E22000

heap

page read and write

4484000

heap

page read and write

2FF4000

heap

page read and write

B30000

unkown

page readonly

36EF000

heap

page read and write

5471000

unkown

page read and write

2FF4000

heap

page read and write

E2A000

heap

page read and write

2FF4000

heap

page read and write

E21000

heap

page read and write

E5C000

stack

page read and write

1120000

direct allocation

page execute and read and write

3DC4000

heap

page read and write

36CB000

heap

page read and write

299B000

direct allocation

page read and write

E35000

heap

page read and write

4FF0000

trusted library allocation

page read and write

4EED000

trusted library allocation

page read and write

988000

unkown

page read and write

59AF000

stack

page read and write

458E000

stack

page read and write

2A2A000

direct allocation

page read and write

3851000

heap

page read and write

E29000

heap

page read and write

B96000

unkown

page read and write

There are 271 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
6j8aA9Av1m.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report6j8aA9Av1m.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
6j8aA9Av1m.exe