Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.946780810779866
Filename:	file.exe
Filesize:	1865216
MD5:	7acff0643ac8da6aa58822aab6ba453b
SHA1:	47df2346c8eb19e1990b2c55f5742a2bd9c6541c
SHA256:	f17f46b2673a99e664d75717d2057ed3bd0abd0035b2db05a53ee78b43bb5f19
SHA512:	f1356f9577494c099eb508673e27bfeed0d58b3f43fa4229eaec944b2ed529293769d503750f7c2c5b548712ca3b6b605ac9ad38a82f5246d1ae36e4f7c53f17
SSDEEP:	49152:zaCkV/rZ6t2JJ4HkWHB+Gy0/qset2JcReJ:zGFrbWL5dyn
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................J...........@...........................J.....t.....@.................................W...k..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_24d9a490-260c-479c-b0e5-c8ba074a91b8\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_24d9a490-260c-479c-b0e5-c8ba074a91b8\Report.wer
Category:	dropped
Dump:	Report.wer.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.0219045487082323
Encrypted:	false
Ssdeep:	192:f6UCILCs4vePlktS0BU/b03juF5QzuiFlZ24IO8ThB:ZYeN6ZBU/wjJzuiFlY4IO8L
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD730.tmp.dmp

Mini DuMP crash report, 15 streams, Sat Oct 12 09:18:08 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD730.tmp.dmp
Category:	dropped
Dump:	WERD730.tmp.dmp.5.dr
ID:	dr_0
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Sat Oct 12 09:18:08 2024, 0x1205a4 type
Entropy:	1.4822425319232675
Encrypted:	false
Ssdeep:	768:NJ9MyABTJsRFv3esbCpz0n0NM2Zh62pufCKTZPvN:NEDJuvOcnGXZh62putPl
Size:	293834
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8E6.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8E6.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERD8E6.tmp.WERInternalMetadata.xml.5.dr
ID:	dr_1
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6897404740867437
Encrypted:	false
Ssdeep:	192:R6l7wVeJ8Cr6qqVz6Y2DiSUYgmfBGeBprf89bNYsf7KPm:R6lXJv6qqVz6YPSUYgmfZsNLfv
Size:	8294
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD926.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD926.tmp.xml
Category:	dropped
Dump:	WERD926.tmp.xml.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.429646863588523
Encrypted:	false
Ssdeep:	48:cvIwWl8zs1Jg77aI9fUWpW8VYfYm8M4JjlFe+q8Cupnj6Md:uIjfPI7dN7VPJ6+pnj6Md
Size:	4542
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.468437333580091
Encrypted:	false
Ssdeep:	6144:6zZfpi6ceLPx9skLmb0fNZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5Sy:cZHtNZWOKnMM6bFp9j4
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2680
Target ID:	0
Parent PID:	4004
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1865216
MD5:	7ACFF0643AC8DA6AA58822AAB6BA453B
Time:	05:18:02
Date:	12/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x670000
Modulesize:	4902912
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1936

Details

Is windows:	true
Is dropped:	false
PID:	1408
Target ID:	5
Parent PID:	2680
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1936
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	05:18:08
Date:	12/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x860000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://sergei-esenin.com/

unknown

https://sergei-esenin.com:443/apip

unknown

studennotediw.store

dissapoiznw.store

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

https://steamcommunity.com:443/profiles/76561199724331900

unknown

eaglepawnoy.store

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

https://sergei-esenin.com:443/api

unknown

bathdoomgaz.store

clearancek.site

spirittunek.store

licendfilteo.site

https://www.cloudflare.com/learning/access-management/phishing-attack/

unknown

https://player.vimeo.com

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_com

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/moda

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzz

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://www.youtube.com

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://www.google.com

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://community.al/

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi

unknown

https://s.ytimg.com;

unknown

https://steam.tv/

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.j

unknown

https://sketchfab.com

unknown

https://lv.queniujq.cn

unknown

https://www.youtube.com/

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://www.cloudflare.com/learning/access-manag

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

https://cdn.akamai.

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://help.st

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://store.steampowered.com/;

unknown

https://store.steampowered.com/about/

unknown

https://spirittunek.store:443/api8$

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english

unknown

https://help.steampowered.com/en/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://community.akamai.steamstatic.com/

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1

unknown

https://recaptcha.net/recaptcha/;

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

https://community.akamai.stea

unknown

https://login.steamp

unknown

https://steamcommunity.com/discussions/

unknown

https://store.steampowered.com/stats/

unknown

https://steamcommunity.com/R

unknown

https://medal.tv

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e

unknown

https://steamcommunity.com/workshop/

unknown

https://login.steampowered.com/

unknown

https://store.steampowered.com/legal/

unknown

https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e

unknown

https://community.akamai.steamstatic.com/public/css

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

https://recaptcha.net

unknown

http://upx.sf.net

unknown

https://store.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

https://studennotediw.store:443/api

unknown

https://mobbipenju.store:443/api

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

http://127.0.0.1:27060

unknown

https://clearancek.site:443/apii

unknown

https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://www.google.com/recaptcl-

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

sergei-esenin.com

172.67.206.204

eaglepawnoy.store

unknown

bathdoomgaz.store

unknown

spirittunek.store

unknown

licendfilteo.site

unknown

studennotediw.store

unknown

mobbipenju.store

unknown

clearancek.site

unknown

dissapoiznw.store

unknown

IPs

Domain

Country

Malicious

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.206.204

sergei-esenin.com

United States

Details

IP:	172.67.206.204
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sergei-esenin.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

ProgramId

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

FileId

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

LowerCaseLongPath

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

LongPathHash

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Name

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

OriginalFileName

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Publisher

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Version

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

BinFileVersion

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

BinaryType

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

ProductName

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

ProductVersion

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

LinkDate

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

BinProductVersion

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

AppxPackageFullName

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

AppxPackageRelativeId

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Size

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Language

\REGISTRY\A\{67ebb946-5893-da09-236d-3ea7997cceb1}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Usn

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

ApplicationFlags

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018000DDABBE6B3

There are 13 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

671000

unkown

page execute and read and write

4701000

heap

page read and write

45AF000

stack

page read and write

46F0000

direct allocation

page read and write

C35000

heap

page read and write

2AEF000

stack

page read and write

4D20000

direct allocation

page execute and read and write

4B40000

trusted library allocation

page read and write

46F0000

direct allocation

page read and write

E35000

heap

page read and write

65B000

stack

page read and write

4701000

heap

page read and write

4701000

heap

page read and write

55DF000

stack

page read and write

346E000

stack

page read and write

4701000

heap

page read and write

332E000

stack

page read and write

422E000

stack

page read and write

46F0000

direct allocation

page read and write

97B000

unkown

page execute and write copy

37EF000

stack

page read and write

51CF000

stack

page read and write

4701000

heap

page read and write

547E000

stack

page read and write

40EE000

stack

page read and write

4701000

heap

page read and write

4CE0000

direct allocation

page execute and read and write

4D1D000

stack

page read and write

4E4D000

stack

page read and write

46F0000

direct allocation

page read and write

29ED000

heap

page read and write

E6B000

heap

page read and write

4701000

heap

page read and write

ECA000

heap

page read and write

46F0000

direct allocation

page read and write

4D40000

direct allocation

page execute and read and write

4701000

heap

page read and write

3A6F000

stack

page read and write

46F0000

direct allocation

page read and write

54DE000

stack

page read and write

4D10000

direct allocation

page execute and read and write

ED2000

heap

page read and write

C30000

heap

page read and write

4701000

heap

page read and write

E38000

heap

page read and write

671000

unkown

page execute and write copy

DFE000

heap

page read and write

29E7000

heap

page read and write

31EE000

stack

page read and write

3AAE000

stack

page read and write

97B000

unkown

page execute and read and write

E8A000

heap

page read and write

55F0000

heap

page read and write

46F0000

direct allocation

page read and write

4710000

heap

page read and write

4B7D000

stack

page read and write

FEE000

stack

page read and write

29B0000

heap

page read and write

E72000

heap

page read and write

3E2F000

stack

page read and write

51E0000

remote allocation

page read and write

4D00000

direct allocation

page execute and read and write

4701000

heap

page read and write

4D51000

trusted library allocation

page read and write

392F000

stack

page read and write

E6F000

heap

page read and write

40AF000

stack

page read and write

51E0000

remote allocation

page read and write

E79000

heap

page read and write

4701000

heap

page read and write

41EF000

stack

page read and write

4700000

heap

page read and write

46F0000

direct allocation

page read and write

E2F000

heap

page read and write

5780000

trusted library allocation

page read and write

4701000

heap

page read and write

4D10000

direct allocation

page execute and read and write

DAE000

stack

page read and write

4D10000

direct allocation

page execute and read and write

446F000

stack

page read and write

4701000

heap

page read and write

2F6E000

stack

page read and write

B1B000

unkown

page execute and write copy

C1B000

stack

page read and write

E54000

heap

page read and write

29C0000

heap

page read and write

35AE000

stack

page read and write

3BAF000

stack

page read and write

D40000

heap

page read and write

36AF000

stack

page read and write

E79000

heap

page read and write

50CE000

stack

page read and write

B1B000

unkown

page execute and write copy

46F0000

direct allocation

page read and write

4701000

heap

page read and write

670000

unkown

page read and write

44AE000

stack

page read and write

C60000

heap

page read and write

4701000

heap

page read and write

436E000

stack

page read and write

396E000

stack

page read and write

4701000

heap

page read and write

432F000

stack

page read and write

3CEF000

stack

page read and write

2F2F000

stack

page read and write

4701000

heap

page read and write

B19000

unkown

page execute and read and write

4F4C000

stack

page read and write

E51000

heap

page read and write

29AE000

stack

page read and write

30AE000

stack

page read and write

537E000

stack

page read and write

306F000

stack

page read and write

E27000

heap

page read and write

E51000

heap

page read and write

4701000

heap

page read and write

296E000

stack

page read and write

3E6E000

stack

page read and write

670000

unkown

page readonly

DEE000

stack

page read and write

46F0000

direct allocation

page read and write

E3E000

heap

page read and write

45EE000

stack

page read and write

2CEF000

stack

page read and write

29E0000

heap

page read and write

28EE000

stack

page read and write

3FAE000

stack

page read and write

965000

unkown

page execute and read and write

508E000

stack

page read and write

E6F000

heap

page read and write

4D10000

direct allocation

page execute and read and write

4CCE000

stack

page read and write

46F0000

direct allocation

page read and write

3BEE000

stack

page read and write

6D0000

unkown

page execute and read and write

4701000

heap

page read and write

342F000

stack

page read and write

4B90000

direct allocation

page read and write

3F6F000

stack

page read and write

85A000

unkown

page execute and read and write

31AF000

stack

page read and write

4D10000

direct allocation

page execute and read and write

3D2E000

stack

page read and write

2DEF000

stack

page read and write

E72000

heap

page read and write

97C000

unkown

page execute and write copy

4B90000

direct allocation

page read and write

E32000

heap

page read and write

46F0000

direct allocation

page read and write

E8A000

heap

page read and write

96D000

unkown

page execute and read and write

4D10000

direct allocation

page execute and read and write

564E000

stack

page read and write

935000

unkown

page execute and read and write

46EF000

stack

page read and write

DF0000

heap

page read and write

51E0000

remote allocation

page read and write

E54000

heap

page read and write

10EF000

stack

page read and write

522D000

stack

page read and write

382E000

stack

page read and write

4BCC000

stack

page read and write

E3E000

heap

page read and write

4D30000

direct allocation

page execute and read and write

574F000

stack

page read and write

E6C000

heap

page read and write

2E2E000

stack

page read and write

4B90000

direct allocation

page read and write

DFA000

heap

page read and write

2BEE000

stack

page read and write

46F0000

direct allocation

page read and write

532E000

stack

page read and write

36EE000

stack

page read and write

292C000

stack

page read and write

32EF000

stack

page read and write

46F0000

direct allocation

page read and write

4CF0000

direct allocation

page execute and read and write

4F8E000

stack

page read and write

356F000

stack

page read and write

There are 169 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe