Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

WiTqtf1aiE.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\AEHIDAKECF.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_22594e132764.exe_ccd4ce4ffa4affe920cf036359dd7e3a7c64ae1_79c6969d_10d44d82-3818-4f78-95c4-d62f2374fa9d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_22594e132764.exe_ccd4ce4ffa4affe920cf036359dd7e3a7c64ae1_79c6969d_78ec0684-bcbb-4337-adb3-e05a91df8730\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WiTqtf1aiE.exe_fcb55378b23a3e2780d8841e31ba47db77bf40df_72e290f3_72e37a3d-dc03-4ce4-b601-fc0f2a6e8dcd\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sql[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\a43486128347[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\22594e132764[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\IDSM\22594e132764.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\AFIDGDBGCAAF\AKECBF

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\AFIDGDBGCAAF\AKECBF-shm

data

dropped

C:\ProgramData\AFIDGDBGCAAF\BFIJEH

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\AFIDGDBGCAAF\BKEBFH

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\ProgramData\AFIDGDBGCAAF\CGHDAK

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\AFIDGDBGCAAF\DBKEGC

ASCII text, with very long lines (1743), with CRLF line terminators

dropped

C:\ProgramData\AFIDGDBGCAAF\EBFBKF

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\AFIDGDBGCAAF\GCGCFC

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4

dropped

C:\ProgramData\AFIDGDBGCAAF\HDHJEB

SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\AFIDGDBGCAAF\IEHCBA

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\AFIDGDBGCAAF\JKKFII

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\AFIDGDBGCAAF\JKKFII-shm

data

dropped

C:\ProgramData\FCFBFHIEBKJK\DGCBAF

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AEHIDAKECF.exe_692646668c39db6480cb8a6752bc727249b14fd7_8715bf9f_9ab4ce95-bed5-4124-a32f-31a43d884dd6\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5146.tmp.dmp

Mini DuMP crash report, 14 streams, Mon Oct 7 19:18:31 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51D3.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5203.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA467.tmp.dmp

Mini DuMP crash report, 14 streams, Mon Oct 7 19:18:52 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4A7.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4D6.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBA8.tmp.dmp

Mini DuMP crash report, 14 streams, Mon Oct 7 19:18:01 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC07.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC37.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5AB.tmp.dmp

Mini DuMP crash report, 14 streams, Mon Oct 7 19:18:04 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5FA.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE61A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\delays.tmp

ASCII text, with very long lines (65536), with no line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_6546093.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, ctime=Mon Oct 7 18:18:02 2024, mtime=Mon Oct 7 18:18:03 2024, atime=Mon Oct 7 18:18:03 2024, length=585216, window=hide

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 40 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\WiTqtf1aiE.exe

"C:\Users\user\Desktop\WiTqtf1aiE.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\user\AppData\Local\Temp\IDSM\22594e132764.exe

"C:\Users\user\AppData\Local\Temp\IDSM\22594e132764.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\user\AppData\Local\Temp\IDSM\22594e132764.exe

"C:\Users\user\AppData\Local\Temp\IDSM\22594e132764.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\ProgramData\AEHIDAKECF.exe

"C:\ProgramData\AEHIDAKECF.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7656 -s 248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7912 -s 260

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AFIDGDBGCAAF" & exit

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

There are 6 hidden processes, click here to show them.

URLs

Name

Malicious

frizzettei.sbs

http://heks.egrowbrands.com/ldms/22594e132764.exe

147.45.44.104

http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe

147.45.44.104

http://kasm.zubairgul.com/vcruntime140.dll

95.164.90.97

http://kasm.zubairgul.com/softokn3.dll

95.164.90.97

http://heks.egrowbrands.com/ldms/22594e132764.exestem32

unknown

https://t.me/ae5ed

unknown

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

invinjurhey.sbs

exilepolsiy.sbs

http://heks.egrowbrands.com/ldms/22594e132764.exepnsp.dll

unknown

bemuzzeki.sbs

http://kasm.zubairgul.com/msvcp140.dll

95.164.90.97

exemplarou.sbs

http://kasm.zubairgul.com/mozglue.dll

95.164.90.97

wickedneatr.sbs

https://t.me/

unknown

http://kasm.zubairgul.com/freebl3.dll

95.164.90.97

https://steamcommunity.com/profiles/76561199780418869u55uMozilla/5.0

unknown

laddyirekyi.sbs

http://kasm.zubairgul.com/nss3.dll

95.164.90.97

isoplethui.sbs

https://steamcommunity.com/profiles/76561199780418869

http://kasm.zubairgul.com/

95.164.90.97

http://147.45.44.104/ldms/offers.txt

147.45.44.104

http://kasm.zubairgul.com/sql.dll

95.164.90.97

http://cowod.hopto.org/

45.132.206.251

https://t.me/maslengdsa

149.154.167.99

https://duckduckgo.com/chrome_newtab

unknown

https://player.vimeo.com

unknown

https://duckduckgo.com/ac/?q=

unknown

http://kasm.zubairgul.com/C:

unknown

http://cowod.hopto.org

unknown

http://kasm.zubairgul.com/sql.dlll

unknown

https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.

unknown

https://www.gstatic.cn/recaptcha/

unknown

https://www.youtube.com

unknown

https://www.google.com

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli

unknown

http://cowod.hopto.org_DEBUG.zip/c

unknown

http://kasm.zubairgul.com/sql.dllS

unknown

http://kasm.zubairgul.com:80/sql.dll

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

http://cowod.hopto.

unknown

http://cowod.hopto

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://s.ytimg.com;

unknown

http://kasm.zubairgul.com/nlsres.dll

unknown

https://steam.tv/

unknown

http://kasm.zubairgul.com:80

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

https://mozilla.org0/

unknown

https://lv.queniujq.c

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://cowod.hopto.orgHDA

unknown

http://kasm.zubairgul.com:80ontent-Disposition:

unknown

https://sketchfab.com

unknown

https://www.ecosia.org/newtab/

unknown

https://lv.queniujq.cn

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://www.youtube.com/

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

http://kasm.zubairgul.com/lt?0_

unknown

https://www.google.com/recaptcha/

unknown

https://checkout.steampowered.com/

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL

unknown

http://cowod.multipart/form-data;

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref

unknown

https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477

unknown

https://store.steampowered.com/;

unknown

https://t.me/maslengdsau?$

unknown

https://web.telegram.org

unknown

https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/

unknown

https://community.akamai.steamstatic.com/

unknown

https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://cowod.hopto.AAFHDA

unknown

https://recaptcha.net/recaptcha/;

unknown

http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe1kkkk

unknown

http://cowod.hoptoJJKFIIJ

unknown

https://medal.tv

unknown

https://broadcast.st.dl.eccdnx.com

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://kasm.zubairgul.com/sql.dllXT

unknown

http://kasm.zubairgul.com/FO

unknown

https://community.akamai.steam

unknown

https://login.steampowered.com/

unknown

http://www.sqlite.org/copyright.html.

unknown

http://kasm.zubairgul.com/sql.dllVersion

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://recaptcha.net

unknown

http://upx.sf.net

unknown

https://store.steampowered.com/

unknown

https://t.me/maslengdsa9

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

http://kasm.zubairgul.com/sql.dllE;.JS;.JSE;.WSF;.WS

unknown

https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

cowod.hopto.org

45.132.206.251

nsdm.cumpar-auto-orice-tip.ro

147.45.44.104

t.me

149.154.167.99

heks.egrowbrands.com

147.45.44.104

kasm.zubairgul.com

95.164.90.97

frizzettei.sbs

unknown

bemuzzeki.sbs

unknown

invinjurhey.sbs

unknown

exilepolsiy.sbs

unknown

exemplarou.sbs

unknown

laddyirekyi.sbs

unknown

wickedneatr.sbs

unknown

isoplethui.sbs

unknown

bg.microsoft.map.fastly.net

199.232.214.172

s-part-0017.t-0009.fb-t-msedge.net

13.107.253.45

fp2e7a.wpc.phicdn.net

192.229.221.95

There are 7 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	19
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

147.45.44.104

nsdm.cumpar-auto-orice-tip.ro

Russian Federation

Details

IP:	147.45.44.104
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false
Domain:	nsdm.cumpar-auto-orice-tip.ro

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

95.164.90.97

kasm.zubairgul.com

Gibraltar

Details

IP:	95.164.90.97
TargetID:	9
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Gibraltar
Countrycode:	GIB
ASN number:	39762
ASN name:	VAKPoltavaUkraineUA
Private:	false
Domain:	kasm.zubairgul.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

149.154.167.99

t.me

United Kingdom

Details

IP:	149.154.167.99
TargetID:	9
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	t.me

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

45.132.206.251

cowod.hopto.org

Russian Federation

Details

IP:	45.132.206.251
TargetID:	9
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	59731
ASN name:	LIFELINK-ASRU
Private:	false
Domain:	cowod.hopto.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

IDSMService

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

ProgramId

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

FileId

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

LowerCaseLongPath

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

LongPathHash

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

Name

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

OriginalFileName

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

Publisher

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

Version

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

BinFileVersion

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

BinaryType

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

ProductName

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

ProductVersion

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

LinkDate

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

BinProductVersion

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

AppxPackageFullName

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

AppxPackageRelativeId

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

Size

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

Language

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\22594e132764.exe|95b1c1d6ca946e99

Usn

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

ProgramId

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

FileId

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

LowerCaseLongPath

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

LongPathHash

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

Name

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

OriginalFileName

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

Publisher

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

Version

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

BinFileVersion

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

BinaryType

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

ProductName

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

ProductVersion

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

LinkDate

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

BinProductVersion

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

AppxPackageFullName

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

AppxPackageRelativeId

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

Size

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

Language

\REGISTRY\A\{4b41e280-5749-0348-df7e-14c78301cb08}\Root\InventoryApplicationFile\witqtf1aie.exe|27de41b1772e8b7b

Usn

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214EF-0000-0000-C000-000000000046} 0xFFFF

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018C00F99D0338A

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

ApplicationFlags

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

ProgramId

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

FileId

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

LowerCaseLongPath

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

LongPathHash

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

Name

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

OriginalFileName

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

Publisher

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

Version

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

BinFileVersion

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

BinaryType

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

ProductName

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

ProductVersion

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

LinkDate

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

BinProductVersion

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

AppxPackageFullName

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

AppxPackageRelativeId

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

Size

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

Language

\REGISTRY\A\{5c76c7de-058b-9d79-5f63-16c61136d283}\Root\InventoryApplicationFile\aehidakecf.exe|8216bba66a764bb1

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

There are 55 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

86D000

unkown

page read and write

FED000

unkown

page read and write

86D000

unkown

page read and write

400000

remote allocation

page execute and read and write

1390000

heap

page read and write

DDF000

stack

page read and write

1048000

unkown

page readonly

19B5D000

heap

page read and write

144D000

stack

page read and write

1FE4D000

direct allocation

page execute read

6CBA1000

unkown

page execute read

14D0000

heap

page read and write

61C000

remote allocation

page execute and read and write

1FDE6000

direct allocation

page execute read

E2A000

heap

page read and write

6CD85000

unkown

page readonly

1FCF3000

direct allocation

page execute read

FED000

unkown

page write copy

530000

heap

page read and write

863000

unkown

page readonly

7FB7000

heap

page read and write

1046000

unkown

page read and write

12C1D000

stack

page read and write

4AB2D000

stack

page read and write

173BE000

stack

page read and write

1266000

heap

page read and write

2FA0000

heap

page read and write

200E8000

direct allocation

page execute read

13C7000

heap

page read and write

11E0000

heap

page read and write

863000

unkown

page readonly

125C000

stack

page read and write

DE5000

heap

page read and write

32AC000

stack

page read and write

2EED000

stack

page read and write

ABC000

stack

page read and write

7E70000

heap

page read and write

1380000

heap

page read and write

106DF000

stack

page read and write

840000

unkown

page readonly

6CD3F000

unkown

page readonly

124D000

stack

page read and write

134E000

stack

page read and write

5DA000

unkown

page readonly

B60000

heap

page read and write

203EA000

heap

page read and write

1A2DE000

heap

page read and write

FE3000

unkown

page readonly

200E0000

direct allocation

page execute and read and write

2032F000

direct allocation

page readonly

C67000

heap

page read and write

2EAE000

stack

page read and write

33B0000

heap

page read and write

107C000

stack

page read and write

1118000

heap

page read and write

19FFC000

heap

page read and write

19E7F000

stack

page read and write

1FC88000

direct allocation

page execute read

EFA000

stack

page read and write

123C000

stack

page read and write

5D8000

unkown

page execute and read and write

1370000

heap

page read and write

1744E000

stack

page read and write

1FE93000

direct allocation

page readonly

1370000

heap

page read and write

14DE000

heap

page read and write

1573000

heap

page read and write

8D0000

unkown

page readonly

F20000

heap

page read and write

841000

unkown

page execute read

1161000

heap

page read and write

140E000

stack

page read and write

120E000

stack

page read and write

1220000

heap

page read and write

103E000

stack

page read and write

100CE000

stack

page read and write

1060000

heap

page read and write

5D9000

unkown

page read and write

114F000

heap

page read and write

8CF000

unkown

page read and write

1A0C1000

heap

page read and write

FE3000

unkown

page readonly

FC1000

unkown

page execute read

1793E000

stack

page read and write

1450000

heap

page read and write

6CA60000

unkown

page readonly

E9E000

heap

page read and write

14E7D000

stack

page read and write

160000

heap

page read and write

86D000

unkown

page write copy

A0E0000

heap

page read and write

19D00000

heap

page read and write

1300000

heap

page read and write

1614000

heap

page read and write

5CD000

unkown

page write copy

14BA000

heap

page read and write

149E000

stack

page read and write

B20000

heap

page read and write

11D7000

heap

page read and write

8D0000

unkown

page readonly

481000

remote allocation

page execute and read and write

360E000

stack

page read and write

4E4000

remote allocation

page execute and read and write

53E000

heap

page read and write

1263000

heap

page read and write

6CD7F000

unkown

page write copy

19B20000

heap

page read and write

503000

remote allocation

page execute and read and write

A7C000

stack

page read and write

326DB000

heap

page read and write

1250000

heap

page read and write

8CD000

unkown

page execute and read and write

133D000

stack

page read and write

1048000

unkown

page readonly

400000

remote allocation

page execute and read and write

45CE000

stack

page read and write

1278D000

stack

page read and write

1A160000

heap

page read and write

15EE000

stack

page read and write

15AF000

stack

page read and write

14CA000

heap

page read and write

6CAEE000

unkown

page read and write

4660000

heap

page read and write

19AEC000

stack

page read and write

622000

remote allocation

page execute and read and write

1FEB6000

direct allocation

page readonly

14D8000

heap

page read and write

38646000

heap

page read and write

13A0000

heap

page read and write

11AC000

heap

page read and write

D8E000

stack

page read and write

161E000

heap

page read and write

98C000

stack

page read and write

1A0E0000

heap

page read and write

1A385000

heap

page read and write

1430000

heap

page read and write

EFC000

stack

page read and write

7F60000

heap

page read and write

BF0000

heap

page read and write

170000

heap

page read and write

11AE000

stack

page read and write

1286000

heap

page read and write

13B0000

heap

page read and write

1278000

heap

page read and write

5C3000

unkown

page readonly

FE5000

heap

page read and write

E91000

heap

page read and write

BA0000

heap

page read and write

65D000

remote allocation

page execute and read and write

8CF000

unkown

page read and write

1110000

heap

page read and write

1A180000

heap

page read and write

8D0000

unkown

page readonly

1535E000

stack

page read and write

16BF000

stack

page read and write

14E1F000

stack

page read and write

19FDA000

stack

page read and write

14D1E000

stack

page read and write

11BA000

heap

page read and write

D00000

heap

page read and write

5A0000

unkown

page readonly

199EB000

stack

page read and write

4E6000

remote allocation

page execute and read and write

548000

heap

page read and write

58FE000

stack

page read and write

D4E000

stack

page read and write

E23000

heap

page read and write

BBC000

stack

page read and write

841000

unkown

page execute read

19AFC000

heap

page read and write

173F000

stack

page read and write

86D000

unkown

page write copy

12FD000

stack

page read and write

840000

unkown

page readonly

CF2000

stack

page read and write

460F000

stack

page read and write

DB8000

heap

page read and write

267F7000

heap

page read and write

FC1000

unkown

page execute read

392C000

stack

page read and write

1360000

heap

page read and write

3930000

heap

page read and write

2D5D000

stack

page read and write

135D000

stack

page read and write

6CADD000

unkown

page readonly

1530F000

stack

page read and write

670000

remote allocation

page execute and read and write

123D000

heap

page read and write

17FF000

stack

page read and write

1FE54000

direct allocation

page execute read

1040000

heap

page read and write

62C000

remote allocation

page execute and read and write

1FEBB000

direct allocation

page readonly

841000

unkown

page execute read

2048A000

heap

page read and write

9D0000

heap

page read and write

117C000

stack

page read and write

141F000

stack

page read and write

14AE000

stack

page read and write

16CD000

heap

page read and write

624000

remote allocation

page execute and read and write

19B0D000

heap

page read and write

1789D000

stack

page read and write

628000

remote allocation

page execute and read and write

6CBA0000

unkown

page readonly

5ECF000

stack

page read and write

33BE000

heap

page read and write

1A00D000

heap

page read and write

EA5000

heap

page read and write

62A000

remote allocation

page execute and read and write

16EF000

stack

page read and write

61E000

remote allocation

page execute and read and write

C60000

heap

page read and write

14C3000

heap

page read and write

137A000

heap

page read and write

4A8EC000

stack

page read and write

D9E000

stack

page read and write

124D000

heap

page read and write

FC0000

unkown

page readonly

E1C000

heap

page read and write

116D000

stack

page read and write

FFD000

stack

page read and write

503000

remote allocation

page execute and read and write

5A1000

unkown

page execute read

13C0000

heap

page read and write

4C0000

remote allocation

page execute and read and write

1A059000

heap

page read and write

14D4000

heap

page read and write

200CE000

stack

page read and write

1FEC2000

direct allocation

page read and write

32CD000

stack

page read and write

6CAF2000

unkown

page readonly

840000

unkown

page readonly

1FE8D000

direct allocation

page execute read

45E000

remote allocation

page execute and read and write

19D13000

heap

page read and write

BEE000

stack

page read and write

1520E000

stack

page read and write

7E60000

heap

page read and write

4C5000

remote allocation

page execute and read and write

1FEE1000

heap

page read and write

201CD000

stack

page read and write

B3B000

stack

page read and write

1380000

heap

page read and write

5C3000

unkown

page readonly

7FB0000

heap

page read and write

11B0000

heap

page read and write

6CA61000

unkown

page execute read

DB0000

heap

page read and write

2032A000

direct allocation

page readonly

1FEAB000

direct allocation

page readonly

1228000

heap

page read and write

840000

unkown

page readonly

4E4000

remote allocation

page execute and read and write

EFC000

stack

page read and write

134E000

stack

page read and write

10D000

stack

page read and write

13FE000

stack

page read and write

1FEA6000

direct allocation

page readonly

9C90000

unclassified section

page read and write

1340000

heap

page read and write

4A7EB000

stack

page read and write

20890000

heap

page read and write

1FE45000

direct allocation

page execute read

177E000

stack

page read and write

1458000

heap

page read and write

2F2B000

stack

page read and write

1623000

heap

page read and write

14C0000

heap

page read and write

2CBD000

stack

page read and write

202EF000

direct allocation

page readonly

1A05D000

heap

page read and write

863000

unkown

page readonly

1FE56000

direct allocation

page execute read

101CF000

stack

page read and write

137E000

heap

page read and write

7E3F000

stack

page read and write

200E1000

direct allocation

page execute read

14CCD000

stack

page read and write

19B1D000

heap

page read and write

98F000

stack

page read and write

61A000

remote allocation

page execute and read and write

5A0000

unkown

page readonly

350B000

stack

page read and write

DF9000

heap

page read and write

53A000

heap

page read and write

863000

unkown

page readonly

4C5000

remote allocation

page execute and read and write

2032D000

direct allocation

page readonly

4FD000

stack

page read and write

5CD000

unkown

page read and write

1FE5A000

direct allocation

page execute read

1998F000

stack

page read and write

E15000

heap

page read and write

E8D000

heap

page read and write

19EDB000

stack

page read and write

33AF000

stack

page read and write

116F000

stack

page read and write

1274000

heap

page read and write

1065000

heap

page read and write

B30000

heap

page read and write

19FEC000

heap

page read and write

20322000

direct allocation

page read and write

340F000

stack

page read and write

6CD80000

unkown

page read and write

CFC000

stack

page read and write

1498000

heap

page read and write

48F000

remote allocation

page execute and read and write

1380000

heap

page read and write

143C000

heap

page read and write

1FE8F000

direct allocation

page readonly

620000

remote allocation

page execute and read and write

382C000

stack

page read and write

1FE15000

direct allocation

page execute read

D90000

heap

page read and write

1560000

heap

page read and write

19C34000

heap

page read and write

1274C000

stack

page read and write

19FE2000

heap

page read and write

1685000

heap

page read and write

1BE000

stack

page read and write

3E5B6000

heap

page read and write

202ED000

direct allocation

page execute read

20246000

direct allocation

page execute read

1A179000

heap

page read and write

10F0000

heap

page read and write

2CFD000

stack

page read and write

1045000

unkown

page execute and read and write

840E000

stack

page read and write

EBE000

heap

page read and write

330E000

stack

page read and write

16FE000

stack

page read and write

169A000

heap

page read and write

2F8E000

stack

page read and write

5A1000

unkown

page execute read

2C76E000

heap

page read and write

31AE000

stack

page read and write

14CE000

heap

page read and write

841000

unkown

page execute read

1FE000

stack

page read and write

1FF8F000

heap

page read and write

1178000

heap

page read and write

1A387000

heap

page read and write

2D80000

heap

page read and write

A0F0000

heap

page read and write

65D000

remote allocation

page execute and read and write

187F000

stack

page read and write

1171000

stack

page read and write

4A57B000

stack

page read and write

1A04D000

heap

page read and write

1A2C0000

heap

page read and write

59C000

remote allocation

page execute and read and write

4C0000

remote allocation

page execute and read and write

8CD000

unkown

page execute and read and write

11EE000

heap

page read and write

30AF000

stack

page read and write

1020D000

stack

page read and write

11E1000

heap

page read and write

6CD7E000

unkown

page read and write

12C5B000

stack

page read and write

5DA000

unkown

page readonly

1519D000

stack

page read and write

20344000

heap

page read and write

14B6000

heap

page read and write

19AF2000

heap

page read and write

1FCCA000

direct allocation

page execute read

19BF0000

heap

page read and write

14C9000

heap

page read and write

A1E0000

unclassified section

page read and write

156C000

heap

page read and write

1248000

heap

page read and write

1FEC6000

direct allocation

page read and write

2E8D000

stack

page read and write

88F000

stack

page read and write

1330000

heap

page read and write

E93000

heap

page read and write

8D0000

unkown

page readonly

202F8000

direct allocation

page readonly

59C000

remote allocation

page execute and read and write

1A0D4000

heap

page read and write

10EF000

stack

page read and write

6B0000

heap

page read and write

FE0000

heap

page read and write

FC0000

unkown

page readonly

1386000

heap

page read and write

626000

remote allocation

page execute and read and write

There are 377 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
WiTqtf1aiE.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportWiTqtf1aiE.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
WiTqtf1aiE.exe