Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.947845726882369
Filename:	file.exe
Filesize:	1844224
MD5:	fb08a9067fae7bfd248416c863bd43d2
SHA1:	1564f87b3da33b611dcb92dd5ff7362220af474a
SHA256:	b649fde943868879f85d809bf5e84d9873b1c5ed308941e19cebb3ea6a230aff
SHA512:	18d98d84e5df556e0adcf32cd0cdefece4a6266932f7198878b8478662131e855dd4980b002f82ed12d9423345143ba88778055b722767f985dadde67f77ecac
SSDEEP:	49152:JfEALDRjDiP2QRjbTVg4txzU6PhCbnog:JfEwRjDinRjbTXvwyH
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................J...........@..........................0J.....z.....@.................................W...k..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_de226bca-5d07-408b-8189-7b2a945470e5\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_de226bca-5d07-408b-8189-7b2a945470e5\Report.wer
Category:	dropped
Dump:	Report.wer.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.0176021884802195
Encrypted:	false
Ssdeep:	192:Prrx7uslJbvjPlktS0BU/YP3juFRp+zuiFE+Z24IO8TOB:T1a2jN6ZBU/gjhzuiFLY4IO8C
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER18E5.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Oct 13 15:46:16 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER18E5.tmp.dmp
Category:	dropped
Dump:	WER18E5.tmp.dmp.5.dr
ID:	dr_0
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Sun Oct 13 15:46:16 2024, 0x1205a4 type
Entropy:	1.487412388111131
Encrypted:	false
Ssdeep:	1536:aFKwo3aK5Jh8CMjTAKE2bhgxbKoJ9JLmeR:Wq3aK5Jh8CMjTAKE2lgNKQ99
Size:	280496
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A7C.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A7C.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER1A7C.tmp.WERInternalMetadata.xml.5.dr
ID:	dr_1
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6912922956401646
Encrypted:	false
Ssdeep:	192:R6l7wVeJBCL6fJVO6YNySU9sOgmfBGe3pr/89b07sfZ8m:R6lXJ46fJVO6YYSU9sOgmfZa0Af3
Size:	8298
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ABC.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ABC.tmp.xml
Category:	dropped
Dump:	WER1ABC.tmp.xml.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.423408383310221
Encrypted:	false
Ssdeep:	48:cvIwWl8zsuJg77aI9EnWpW8VYe5Ym8M4JjlFg+q8CzxuMhgd:uIjfkI7aW7VqJ8jx9gd
Size:	4542
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.416541255023791
Encrypted:	false
Ssdeep:	6144:Wcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuN85+:zi58oSWIZBk2MM6AFBqo
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7352
Target ID:	0
Parent PID:	4056
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1844224
MD5:	FB08A9067FAE7BFD248416C863BD43D2
Time:	11:46:09
Date:	13/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6a0000
Modulesize:	4861952
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7352 -s 1920

Details

Is windows:	true
Is dropped:	false
PID:	7716
Target ID:	5
Parent PID:	7352
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7352 -s 1920
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	11:46:16
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd00000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://sergei-esenin.com/

unknown

studennotediw.store

dissapoiznw.store

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

https://steamcommunity.com:443/profiles/76561199724331900

unknown

https://steamcommunity.com/profiles/76561199724331900S)

unknown

eaglepawnoy.store

https://sergei-esenin.com:443/api%

unknown

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

https://sergei-esenin.com/apitory

unknown

https://sergei-esenin.com:443/api

unknown

https://sergei-esenin.com/apit

unknown

https://sergei-esenin.com/ER

unknown

https://sergei-esenin.com/apiX

unknown

bathdoomgaz.store

https://sergei-esenin.com/apiJ

unknown

clearancek.site

spirittunek.store

licendfilteo.site

mobbipenju.store

https://sergei-esenin.com/api

172.67.206.204

https://steamcommunity.com/profiles/76561199724331900/badges

unknown

https://www.cloudflare.com/learning/access-management/phishing-attack/

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://www.cloudflare.com/learning/access-manqqx

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vP

unknown

https://eaglepawnoy.store:443/api

unknown

https://community.akamai.steamsta

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://community.akam

unknown

https://store.steampowered.com/points/shop/

unknown

https://www.cloudflare.com/learning/access-man

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://avatars.akamai.steamstatic

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english

unknown

https://help.steampowered.com/en/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

https://steamcommunity.com/discussions/

unknown

https://store.steampowered.com/stats/

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://community.akamai.steamstatic.co

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e

unknown

https://steamcommunity.com/workshop/

unknown

https://store.steampowered.com/legal/

unknown

https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_resp

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

http://upx.sf.net

unknown

https://store.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

https://studennotediw.store:443/api

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilevC

unknown

https://steamcommunity.com/K)

unknown

https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://steamcommunity.com/lin

unknown

https://spirittunek.store:443/api

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA

unknown

https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vP05w

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGt

unknown

http://store.steampowered.com/account/cookiepreferences/

unknown

https://clearancek.site:443/apiz

unknown

https://store.steampowered.com/mobile

unknown

https://steamcommunity.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

sergei-esenin.com

172.67.206.204

eaglepawnoy.store

unknown

bathdoomgaz.store

unknown

spirittunek.store

unknown

licendfilteo.site

unknown

studennotediw.store

unknown

mobbipenju.store

unknown

clearancek.site

unknown

dissapoiznw.store

unknown

IPs

Domain

Country

Malicious

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.206.204

sergei-esenin.com

United States

Details

IP:	172.67.206.204
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sergei-esenin.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

ProgramId

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

FileId

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

LowerCaseLongPath

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

LongPathHash

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Name

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

OriginalFileName

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Publisher

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Version

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

BinFileVersion

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

BinaryType

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

ProductName

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

ProductVersion

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

LinkDate

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

BinProductVersion

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

AppxPackageFullName

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

AppxPackageRelativeId

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Size

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Language

\REGISTRY\A\{901d480d-2a44-fcb4-1f6a-32024771cbbd}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

There are 11 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

6A1000

unkown

page execute and read and write

409F000

stack

page read and write

3F9E000

stack

page read and write

2CDE000

stack

page read and write

5A4000

heap

page read and write

5A4000

heap

page read and write

963000

unkown

page execute and read and write

5A4000

heap

page read and write

431F000

stack

page read and write

3E5E000

stack

page read and write

4A40000

direct allocation

page execute and read and write

888000

unkown

page execute and read and write

4461000

heap

page read and write

74EF6000

unkown

page readonly

5A4000

heap

page read and write

6A0000

unkown

page read and write

CA7000

heap

page read and write

395E000

stack

page read and write

74EFF000

unkown

page readonly

32DF000

stack

page read and write

3A5F000

stack

page read and write

C2E000

heap

page read and write

359E000

stack

page read and write

48C0000

remote allocation

page read and write

990000

unkown

page execute and read and write

5A4000

heap

page read and write

533E000

stack

page read and write

369F000

stack

page read and write

C49000

heap

page read and write

305F000

stack

page read and write

4560000

trusted library allocation

page read and write

5A4000

heap

page read and write

37DF000

stack

page read and write

5A4000

heap

page read and write

700000

unkown

page execute and read and write

680000

direct allocation

page read and write

421E000

stack

page read and write

BA0000

direct allocation

page execute and read and write

4461000

heap

page read and write

48C0000

remote allocation

page read and write

4A50000

direct allocation

page execute and read and write

4FBD000

stack

page read and write

4461000

heap

page read and write

281B000

heap

page read and write

680000

direct allocation

page read and write

4A60000

direct allocation

page execute and read and write

435E000

stack

page read and write

3D1E000

stack

page read and write

4A40000

direct allocation

page execute and read and write

391F000

stack

page read and write

C2C000

heap

page read and write

4461000

heap

page read and write

B90000

direct allocation

page read and write

CA1000

heap

page read and write

74EE0000

unkown

page readonly

2E1E000

stack

page read and write

9A6000

unkown

page execute and read and write

5A4000

heap

page read and write

2F1F000

stack

page read and write

5490000

heap

page read and write

3E1F000

stack

page read and write

5A4000

heap

page read and write

291E000

stack

page read and write

680000

direct allocation

page read and write

680000

direct allocation

page read and write

2A1F000

stack

page read and write

4A87000

trusted library allocation

page read and write

C1E000

heap

page read and write

5A4000

heap

page read and write

5A4000

heap

page read and write

C9A000

heap

page read and write

5A4000

heap

page read and write

680000

direct allocation

page read and write

36DE000

stack

page read and write

4A70000

direct allocation

page execute and read and write

27CB000

stack

page read and write

C9C000

heap

page read and write

5A4000

heap

page read and write

2B5F000

stack

page read and write

DAF000

stack

page read and write

4461000

heap

page read and write

3F5F000

stack

page read and write

5A4000

heap

page read and write

341F000

stack

page read and write

4D3E000

stack

page read and write

4A40000

direct allocation

page execute and read and write

345E000

stack

page read and write

319F000

stack

page read and write

538E000

stack

page read and write

C8C000

heap

page read and write

281D000

heap

page read and write

5A4000

heap

page read and write

4BFD000

stack

page read and write

6A0000

unkown

page readonly

4BBC000

stack

page read and write

51FE000

stack

page read and write

C38000

heap

page read and write

331E000

stack

page read and write

4A40000

direct allocation

page execute and read and write

680000

direct allocation

page read and write

B90000

direct allocation

page read and write

4CFD000

stack

page read and write

C86000

heap

page read and write

1F0000

heap

page read and write

309E000

stack

page read and write

4A20000

direct allocation

page execute and read and write

381E000

stack

page read and write

BB0000

heap

page read and write

280E000

stack

page read and write

2B9E000

stack

page read and write

680000

direct allocation

page read and write

56E000

stack

page read and write

BBE000

heap

page read and write

C98000

heap

page read and write

CA1000

heap

page read and write

5A4000

heap

page read and write

C9C000

heap

page read and write

C38000

heap

page read and write

5A4000

heap

page read and write

4A40000

direct allocation

page execute and read and write

50BE000

stack

page read and write

680000

direct allocation

page read and write

C31000

heap

page read and write

C10000

heap

page read and write

B3F000

unkown

page execute and read and write

19B000

stack

page read and write

9A6000

unkown

page execute and write copy

C83000

heap

page read and write

5A4000

heap

page read and write

2C9F000

stack

page read and write

278F000

stack

page read and write

40DE000

stack

page read and write

74EE1000

unkown

page execute read

48A0000

heap

page read and write

680000

direct allocation

page read and write

4A40000

direct allocation

page execute and read and write

4E7E000

stack

page read and write

548F000

stack

page read and write

BE8000

heap

page read and write

2DDF000

stack

page read and write

C8D000

heap

page read and write

5A0000

heap

page read and write

BEF000

heap

page read and write

590000

heap

page read and write

C97000

heap

page read and write

4461000

heap

page read and write

5A4000

heap

page read and write

C12000

heap

page read and write

4461000

heap

page read and write

48C0000

remote allocation

page read and write

2817000

heap

page read and write

4461000

heap

page read and write

680000

direct allocation

page read and write

50FD000

stack

page read and write

5A4000

heap

page read and write

4FB000

stack

page read and write

2F5E000

stack

page read and write

C9C000

heap

page read and write

BF2000

heap

page read and write

523E000

stack

page read and write

CAB000

heap

page read and write

C31000

heap

page read and write

491C000

stack

page read and write

4461000

heap

page read and write

5A4000

heap

page read and write

BF4000

heap

page read and write

EAF000

stack

page read and write

4A30000

direct allocation

page execute and read and write

998000

unkown

page execute and read and write

445F000

stack

page read and write

74EFD000

unkown

page read and write

4E3E000

stack

page read and write

680000

direct allocation

page read and write

CAD000

heap

page read and write

680000

direct allocation

page read and write

3B9F000

stack

page read and write

5A4000

heap

page read and write

9A7000

unkown

page execute and write copy

B8E000

stack

page read and write

48E0000

direct allocation

page read and write

500000

heap

page read and write

3BDE000

stack

page read and write

C88000

heap

page read and write

3CDF000

stack

page read and write

680000

direct allocation

page read and write

CA7000

heap

page read and write

4460000

heap

page read and write

5A4000

heap

page read and write

680000

direct allocation

page read and write

BFE000

heap

page read and write

41DF000

stack

page read and write

BBA000

heap

page read and write

2810000

heap

page read and write

31DE000

stack

page read and write

4A1F000

stack

page read and write

6A1000

unkown

page execute and write copy

5A4000

heap

page read and write

5A4000

heap

page read and write

4ABD000

stack

page read and write

355F000

stack

page read and write

4F7F000

stack

page read and write

268E000

stack

page read and write

3A9E000

stack

page read and write

2A5E000

stack

page read and write

B40000

unkown

page execute and write copy

C1E000

heap

page read and write

There are 196 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe