Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.524989015983574
Filename:	file.exe
Filesize:	2920960
MD5:	6d7169d90896f0347f35da82056fc955
SHA1:	0ee2536b69b5b268586281be8d7925d75f6ef016
SHA256:	68d7b677a0700c7a4f086354054347ba5abb50fa805fc67ef4d580643857dfb0
SHA512:	e67de07dcb5630749d7c7e0467fc65bdf58cd6a9435f931b689f7e4825e64b5f5bce7d9554d2c72cf0f60e0608f40b48fbb9031977a95078f48394592f4acb27
SSDEEP:	49152:lROttiocL5XhDwRaY6hUOY+VOj0m6AKKKKKKKKKKKKKKKKKKKKKKKK9mtcvrKSTS:l4ttiocL5RDwRZi7/m6AKKKKKKKKKKKA
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................0...........@..........................@0.......,...@.................................W...k..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Security Software Discovery
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging	Security Software Discovery
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation	Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_359a2174-9da5-4242-a49d-a70ccd585713\Report.wer

data

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_359a2174-9da5-4242-a49d-a70ccd585713\Report.wer
Category:	dropped
Dump:	Report.wer.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	data
Entropy:	1.04698977012976
Encrypted:	false
Ssdeep:	192:PFt7LLtpYlcv7PlktS0BU/b03juF2nnzuiF2Z24IO8ThB:TEE7N6ZBU/wjfnzuiF2Y4IO8L
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA369.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Oct 13 23:53:11 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA369.tmp.dmp
Category:	dropped
Dump:	WERA369.tmp.dmp.5.dr
ID:	dr_0
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Sun Oct 13 23:53:11 2024, 0x1205a4 type
Entropy:	1.4926084128973272
Encrypted:	false
Ssdeep:	768:g88Sg5ABn3q/l3xGZjjySld3xryLcK4eEkdIGI:g8/gH/JxGZjj/l3mdIGI
Size:	301590
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4C2.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4C2.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERA4C2.tmp.WERInternalMetadata.xml.5.dr
ID:	dr_1
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6915425028827507
Encrypted:	false
Ssdeep:	192:R6l7wVeJqCJ6MO6Y2DbSUKgmfBGeFprd89biysfycWm:R6lXJn6l6YmSUKgmfZiixfyU
Size:	8288
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA511.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA511.tmp.xml
Category:	dropped
Dump:	WERA511.tmp.xml.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.425317666844599
Encrypted:	false
Ssdeep:	48:cvIwWl8zs4Jg77aI9BuWpW8VY5Ym8M4JjlFi7+q8CKk9gDOed:uIjf+I7fP7VlJa59gDOed
Size:	4542
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.468434709637196
Encrypted:	false
Ssdeep:	6144:WzZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5S:4ZHtBZWOKnMM6bFp9j4
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2488
Target ID:	0
Parent PID:	4004
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	2920960
MD5:	6D7169D90896F0347F35DA82056FC955
Time:	19:53:06
Date:	13/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x560000
Modulesize:	3162112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1928

Details

Is windows:	true
Is dropped:	false
PID:	4416
Target ID:	5
Parent PID:	2488
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1928
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	19:53:11
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x310000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1948

Details

Is windows:	true
Is dropped:	false
PID:	1540
Target ID:	6
Parent PID:	2488
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1948
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	19:53:11
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x310000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

studennotediw.store

dissapoiznw.store

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

eaglepawnoy.store

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

bathdoomgaz.store

clearancek.site

spirittunek.store

licendfilteo.site

mobbipenju.store

https://sergei-esenin.com/api

104.21.53.8

https://steamcommunity.com/profiles/76561199724331900/badges

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://sergei-esenin.com/

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.akamai.steamstatic.c

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi

unknown

https://eaglepawnoy.store:443/apiF

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=w

unknown

https://licendfilteo.site:443/api

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://www.cloudflare.com/learning/access-manag

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://sergei-esenin.com:443/api

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHI

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://avatars.akamai.steamstatic

unknown

https://sergei-esenin.com:443/api:.

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://sergei-esenin.com/T

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://sergei-esenin.com/L

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english

unknown

https://sergei-esenin.com/apij

unknown

https://help.steampowered.com/en/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

https://steamcommunity.com/discussions/

unknown

https://store.steampowered.com/stats/

unknown

https://sergei-esenin.com/sWO%(

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://community.akamai.steamstatic.com/public/shared/

unknown

https://community.akamR

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://sergei-esenin.com/api1

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e

unknown

https://clearancek.site:443/api

unknown

https://steamcommunity.com/workshop/

unknown

https://community.akamai.steam

unknown

https://store.steampowered.com/legal/

unknown

https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

https://sergei-esenin.com/api&

unknown

http://upx.sf.net

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2d-

unknown

https://store.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

https://studennotediw.store:443/api

unknown

https://mobbipenju.store:443/api

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

https://clearancek.site:443/apii

unknown

https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://spirittunek.store:443/api

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA

unknown

https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english

unknown

http://store.steampowered.com/account/cookiepreferences/

unknown

https://store.steampowered.com/mobile

unknown

https://steamcommunity.com/

unknown

https://steamcommunity.com:443/profiles/76561199724331900N

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english

unknown

https://community.akamai.steamstatic.com/public/s

unknown

https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl

unknown

There are 89 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

sergei-esenin.com

104.21.53.8

eaglepawnoy.store

unknown

bathdoomgaz.store

unknown

spirittunek.store

unknown

licendfilteo.site

unknown

studennotediw.store

unknown

mobbipenju.store

unknown

clearancek.site

unknown

dissapoiznw.store

unknown

IPs

Domain

Country

Malicious

104.21.53.8

sergei-esenin.com

United States

Details

IP:	104.21.53.8
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sergei-esenin.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

ProgramId

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

FileId

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

LowerCaseLongPath

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

LongPathHash

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Name

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

OriginalFileName

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Publisher

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Version

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

BinFileVersion

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

BinaryType

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

ProductName

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

ProductVersion

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

LinkDate

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

BinProductVersion

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

AppxPackageFullName

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

AppxPackageRelativeId

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Size

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Language

\REGISTRY\A\{e369aa75-a9d8-2453-15a1-f27dbc3f0798}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Usn

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

ApplicationFlags

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018000DDABBE6B3

There are 13 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

561000

unkown

page execute and read and write

496F000

stack

page read and write

4970000

direct allocation

page read and write

7E3000

unkown

page execute and read and write

4FA0000

direct allocation

page execute and read and write

1044000

heap

page read and write

4981000

heap

page read and write

446F000

stack

page read and write

561E000

stack

page read and write

2D0E000

stack

page read and write

472E000

stack

page read and write

5273000

trusted library allocation

page read and write

4E10000

direct allocation

page read and write

45AF000

stack

page read and write

45EE000

stack

page read and write

74B000

unkown

page execute and read and write

3E1F000

stack

page read and write

3D1E000

stack

page read and write

1044000

heap

page read and write

4F90000

direct allocation

page execute and read and write

11EF000

heap

page read and write

510D000

stack

page read and write

861000

unkown

page execute and write copy

4970000

direct allocation

page read and write

1044000

heap

page read and write

50CD000

stack

page read and write

1239000

heap

page read and write

577E000

stack

page read and write

2B8E000

stack

page read and write

7C9000

unkown

page execute and read and write

46EF000

stack

page read and write

4FB0000

direct allocation

page execute and read and write

4E00000

remote allocation

page read and write

1044000

heap

page read and write

436E000

stack

page read and write

4970000

direct allocation

page read and write

1044000

heap

page read and write

1044000

heap

page read and write

571D000

stack

page read and write

1044000

heap

page read and write

3F9D000

stack

page read and write

7BB000

unkown

page execute and read and write

59DF000

stack

page read and write

1044000

heap

page read and write

4F90000

direct allocation

page execute and read and write

2C8F000

stack

page read and write

7F5000

unkown

page execute and read and write

4970000

direct allocation

page read and write

1235000

heap

page read and write

103E000

stack

page read and write

11D8000

heap

page read and write

4F90000

direct allocation

page execute and read and write

1044000

heap

page read and write

1044000

heap

page read and write

7E2000

unkown

page execute and write copy

2E1E000

stack

page read and write

4970000

direct allocation

page read and write

4FD0000

trusted library allocation

page read and write

587F000

stack

page read and write

126A000

heap

page read and write

54CE000

stack

page read and write

59F0000

heap

page read and write

75E000

unkown

page execute and write copy

4981000

heap

page read and write

7B9000

unkown

page execute and write copy

4981000

heap

page read and write

11E2000

heap

page read and write

1044000

heap

page read and write

79E000

unkown

page execute and write copy

431F000

stack

page read and write

2D17000

heap

page read and write

5C0000

unkown

page execute and read and write

860000

unkown

page execute and write copy

860000

unkown

page execute and read and write

36DE000

stack

page read and write

345E000

stack

page read and write

745000

unkown

page execute and write copy

1044000

heap

page read and write

395E000

stack

page read and write

3BDE000

stack

page read and write

2D10000

heap

page read and write

5CC000

unkown

page execute and write copy

359E000

stack

page read and write

4981000

heap

page read and write

4F90000

direct allocation

page execute and read and write

527E000

trusted library allocation

page read and write

560000

unkown

page read and write

4981000

heap

page read and write

1044000

heap

page read and write

848000

unkown

page execute and read and write

1210000

heap

page read and write

55CE000

stack

page read and write

4980000

heap

page read and write

4F80000

direct allocation

page execute and read and write

4E00000

remote allocation

page read and write

7CF000

unkown

page execute and read and write

126C000

heap

page read and write

4F90000

direct allocation

page execute and read and write

309E000

stack

page read and write

1270000

heap

page read and write

122B000

heap

page read and write

37DF000

stack

page read and write

139E000

stack

page read and write

4F4D000

stack

page read and write

114E000

stack

page read and write

4E10000

direct allocation

page read and write

726000

unkown

page execute and write copy

4970000

direct allocation

page read and write

4970000

direct allocation

page read and write

331E000

stack

page read and write

524E000

stack

page read and write

1203000

heap

page read and write

11AA000

heap

page read and write

1226000

heap

page read and write

11AE000

heap

page read and write

548E000

stack

page read and write

3A5F000

stack

page read and write

4320000

heap

page read and write

7C4000

unkown

page execute and write copy

7AA000

unkown

page execute and read and write

4970000

direct allocation

page read and write

1277000

heap

page read and write

3E5E000

stack

page read and write

773000

unkown

page execute and write copy

4970000

direct allocation

page read and write

319F000

stack

page read and write

11E5000

heap

page read and write

127A000

heap

page read and write

5C0000

unkown

page execute and write copy

7F3000

unkown

page execute and write copy

83C000

unkown

page execute and write copy

341F000

stack

page read and write

4970000

direct allocation

page read and write

11A0000

heap

page read and write

789000

unkown

page execute and read and write

776000

unkown

page execute and read and write

58DE000

stack

page read and write

73C000

unkown

page execute and read and write

4981000

heap

page read and write

7A4000

unkown

page execute and read and write

7A0000

unkown

page execute and write copy

77E000

unkown

page execute and write copy

1225000

heap

page read and write

1044000

heap

page read and write

355F000

stack

page read and write

1044000

heap

page read and write

534F000

stack

page read and write

849000

unkown

page execute and write copy

787000

unkown

page execute and read and write

745000

unkown

page execute and read and write

1044000

heap

page read and write

775000

unkown

page execute and write copy

4981000

heap

page read and write

762000

unkown

page execute and write copy

4981000

heap

page read and write

3B9F000

stack

page read and write

1201000

heap

page read and write

1044000

heap

page read and write

7A5000

unkown

page execute and write copy

853000

unkown

page execute and write copy

528A000

trusted library allocation

page read and write

4A80000

trusted library allocation

page read and write

BF0000

heap

page read and write

4F60000

direct allocation

page execute and read and write

41DF000

stack

page read and write

B9B000

stack

page read and write

7CA000

unkown

page execute and write copy

2D1D000

heap

page read and write

4970000

direct allocation

page read and write

421E000

stack

page read and write

7B1000

unkown

page execute and write copy

369F000

stack

page read and write

4E4D000

stack

page read and write

560000

unkown

page readonly

738000

unkown

page execute and read and write

4E00000

remote allocation

page read and write

75F000

unkown

page execute and read and write

561000

unkown

page execute and write copy

1044000

heap

page read and write

4F90000

direct allocation

page execute and read and write

4FC0000

direct allocation

page execute and read and write

838000

unkown

page execute and write copy

1210000

heap

page read and write

31DE000

stack

page read and write

2F1F000

stack

page read and write

1040000

heap

page read and write

774000

unkown

page execute and read and write

3F5F000

stack

page read and write

3CDF000

stack

page read and write

2F5E000

stack

page read and write

122B000

heap

page read and write

40DE000

stack

page read and write

305F000

stack

page read and write

486E000

stack

page read and write

1044000

heap

page read and write

391F000

stack

page read and write

788000

unkown

page execute and write copy

5296000

trusted library allocation

page read and write

4970000

direct allocation

page read and write

2CCB000

stack

page read and write

847000

unkown

page execute and write copy

1239000

heap

page read and write

79F000

unkown

page execute and read and write

517C000

trusted library allocation

page read and write

44AE000

stack

page read and write

FD0000

heap

page read and write

1044000

heap

page read and write

749000

unkown

page execute and write copy

73B000

unkown

page execute and write copy

1272000

heap

page read and write

847000

unkown

page execute and write copy

4970000

direct allocation

page read and write

1044000

heap

page read and write

1044000

heap

page read and write

1044000

heap

page read and write

7B2000

unkown

page execute and read and write

520D000

stack

page read and write

4E10000

direct allocation

page read and write

1044000

heap

page read and write

4DC0000

heap

page read and write

3A9E000

stack

page read and write

EFB000

stack

page read and write

853000

unkown

page execute and write copy

724000

unkown

page execute and read and write

1044000

heap

page read and write

4970000

direct allocation

page read and write

482F000

stack

page read and write

4F70000

direct allocation

page execute and read and write

118E000

stack

page read and write

32DF000

stack

page read and write

538E000

stack

page read and write

4981000

heap

page read and write

4F9D000

stack

page read and write

81D000

unkown

page execute and read and write

409F000

stack

page read and write

526F000

trusted library allocation

page read and write

381E000

stack

page read and write

763000

unkown

page execute and read and write

There are 228 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe