Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.534367610683792
Filename:	file.exe
Filesize:	2952192
MD5:	283f654b01a0041e91613545e4b1b7d1
SHA1:	4d397e16c236af966253e076360487b0db03d2fb
SHA256:	5f4bbf88da5f3b824e903fa9b2b0458f684ff94157abca983e32c18f7da9f70b
SHA512:	3f5d5aa516d31ee3738eee0e33241a8ca1fb9e830146b1e133b7874dcd0d89efd1f5dc7d8db27cd1e48d1e7c2d588112059e910899e6f99e05c67eeaba532a7d
SSDEEP:	49152:kYXIDZ+gOigbzjCaVym1Gxx1H2bKmyDc:kYXIDZ+gOigbzjCagucx10KPDc
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................0...........@...........................0.......-...@.................................W...k..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Detected potential crypto function	System Summary	Archive Collected Data
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_92fb6e2e-1bd9-4b91-8814-cd6295476d3d\Report.wer

data

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_92fb6e2e-1bd9-4b91-8814-cd6295476d3d\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	data
Entropy:	1.0430736213201095
Encrypted:	false
Ssdeep:	192:Pojj5B0Yo55vfPlktS0BU/fI3juFCoV2hzuiF/Z24IO8TVB:xfN6ZBU/YjMOzuiF/Y4IO8X
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF61A.tmp.dmp

Mini DuMP crash report, 15 streams, Mon Oct 14 01:57:13 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERF61A.tmp.dmp
Category:	dropped
Dump:	WERF61A.tmp.dmp.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Mon Oct 14 01:57:13 2024, 0x1205a4 type
Entropy:	1.480256139213818
Encrypted:	false
Ssdeep:	768:00AAABrN1qafajtJScK5vGimsNkXcbLGIM:PApN1qAaB+nccbi3
Size:	294164
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF89C.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERF89C.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERF89C.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6926737642541476
Encrypted:	false
Ssdeep:	192:R6l7wVeJOC36Y6Y9VmSUurKgmfBGetprSW89bT/sfAzRm:R6lXJt6Y6YHmSUurKgmfZi/Tkfl
Size:	8290
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8DB.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8DB.tmp.xml
Category:	dropped
Dump:	WERF8DB.tmp.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.4305358777858475
Encrypted:	false
Ssdeep:	48:cvIwWl8zsjJg77aI9vJbKWpW8VYsYm8M4JjlFCZ+q8CIGhUufd:uIjf9I7nf7VYJaYGeufd
Size:	4542
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.465290231556066
Encrypted:	false
Ssdeep:	6144:TIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbp:EXD94+WlLZMM6YFH1+p
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6848
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	2952192
MD5:	283F654B01A0041E91613545E4B1B7D1
Time:	21:57:05
Date:	13/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x340000
Modulesize:	3194880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1904

Details

Is windows:	true
Is dropped:	false
PID:	5628
Target ID:	4
Parent PID:	6848
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1904
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	21:57:12
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x2c0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1896

Details

Is windows:	true
Is dropped:	false
PID:	6128
Target ID:	5
Parent PID:	6848
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1896
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	21:57:12
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x2c0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://sergei-esenin.com/

unknown

studennotediw.store

dissapoiznw.store

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

https://steamcommunity.com:443/profiles/76561199724331900

unknown

eaglepawnoy.store

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

https://sergei-esenin.com:443/api

unknown

https://sergei-esenin.com/k

unknown

bathdoomgaz.store

https://sergei-esenin.com/apiF

unknown

clearancek.site

spirittunek.store

licendfilteo.site

https://steamcommunity.com/profiles/76561199724331900/inventory

unknown

https://sergei-esenin.com/ll

unknown

mobbipenju.store

https://sergei-esenin.com/api

172.67.206.204

https://steamcommunity.com/profiles/76561199724331900/badges

unknown

https://www.cloudflare.com/learning/access-management/phishing-attack/

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptacul

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

https://community.akamai.steamstatic.com/)

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://community.akam

unknown

https://store.steampowered.com/points/shop/

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://steamcommunity.com/profiles/76561

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english

unknown

https://www.cloudflare.com/learning/access-management/

unknown

https://help.steampowered.com/en/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://spirittunek.store:443/apii%

unknown

https://steamcommunity.com/?subsection

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

https://dissapoiznw.store:443/api

unknown

https://steamcommunity.com/discussions/

unknown

https://steamcommunity.com/N

unknown

https://store.steampowered.com/stats/

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e

unknown

https://steamcommunity.com/workshop/

unknown

https://community.akamai.steam

unknown

https://store.steampowered.com/legal/

unknown

https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e

unknown

https://licendfilteo.site/api

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

https://clearancek.site:443/api=

unknown

http://upx.sf.net

unknown

https://store.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valMr

unknown

https://clearancek.site/apin

unknown

https://clearancek.site:443/apii

unknown

https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA

unknown

https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english

unknown

https://community.akamai.steamstatic.com/publdq

unknown

http://store.steampowered.com/account/cookiepreferences/

unknown

https://store.steampowered.com/mobile

unknown

https://steamcommunity.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl

unknown

There are 88 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

sergei-esenin.com

172.67.206.204

eaglepawnoy.store

unknown

bathdoomgaz.store

unknown

spirittunek.store

unknown

licendfilteo.site

unknown

studennotediw.store

unknown

mobbipenju.store

unknown

clearancek.site

unknown

dissapoiznw.store

unknown

IPs

Domain

Country

Malicious

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.206.204

sergei-esenin.com

United States

Details

IP:	172.67.206.204
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sergei-esenin.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProgramId

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

FileId

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LowerCaseLongPath

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LongPathHash

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Name

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

OriginalFileName

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Publisher

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Version

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinFileVersion

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinaryType

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProductName

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProductVersion

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LinkDate

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinProductVersion

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

AppxPackageFullName

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

AppxPackageRelativeId

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Size

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Language

\REGISTRY\A\{182dd7c9-519a-8d36-e1d9-31226353b399}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

There are 11 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

341000

unkown

page execute and read and write

373E000

stack

page read and write

BA4000

heap

page read and write

4940000

remote allocation

page read and write

2BFE000

stack

page read and write

44C0000

heap

page read and write

624000

unkown

page execute and write copy

D35000

heap

page read and write

2720000

direct allocation

page read and write

7DB000

stack

page read and write

5AD000

unkown

page execute and read and write

CFE000

heap

page read and write

44C1000

heap

page read and write

34BE000

stack

page read and write

BA4000

heap

page read and write

44C1000

heap

page read and write

D82000

heap

page read and write

297E000

stack

page read and write

4AA0000

direct allocation

page execute and read and write

4CC8000

trusted library allocation

page read and write

55B000

unkown

page execute and write copy

4ADD000

stack

page read and write

333F000

stack

page read and write

D55000

heap

page read and write

427E000

stack

page read and write

44C1000

heap

page read and write

BA4000

heap

page read and write

B10000

heap

page read and write

B7E000

stack

page read and write

542000

unkown

page execute and read and write

DD0000

heap

page read and write

BA4000

heap

page read and write

44C1000

heap

page read and write

D6F000

heap

page read and write

D82000

heap

page read and write

510E000

stack

page read and write

270B000

stack

page read and write

DDD000

heap

page read and write

D53000

heap

page read and write

DD5000

heap

page read and write

4DD9000

trusted library allocation

page read and write

337E000

stack

page read and write

340000

unkown

page read and write

DAA000

heap

page read and write

341000

unkown

page execute and write copy

4DE7000

trusted library allocation

page read and write

3FFE000

stack

page read and write

2FBE000

stack

page read and write

59A000

unkown

page execute and write copy

586000

unkown

page execute and write copy

2720000

direct allocation

page read and write

527F000

stack

page read and write

D67000

heap

page read and write

540000

unkown

page execute and write copy

D29000

heap

page read and write

4AE000

unkown

page execute and write copy

4AD0000

direct allocation

page execute and read and write

5DC000

unkown

page execute and read and write

531000

unkown

page execute and write copy

BA4000

heap

page read and write

4940000

remote allocation

page read and write

4B00000

direct allocation

page execute and read and write

437F000

stack

page read and write

3D3F000

stack

page read and write

53A000

unkown

page execute and write copy

397F000

stack

page read and write

2720000

direct allocation

page read and write

44C1000

heap

page read and write

383F000

stack

page read and write

2720000

direct allocation

page read and write

2E3F000

stack

page read and write

4FCF000

stack

page read and write

BA0000

heap

page read and write

2710000

heap

page read and write

30BF000

stack

page read and write

BA4000

heap

page read and write

BA4000

heap

page read and write

BA4000

heap

page read and write

BA4000

heap

page read and write

4B19000

trusted library allocation

page read and write

BA4000

heap

page read and write

4AB0000

direct allocation

page execute and read and write

2720000

direct allocation

page read and write

4C4D000

stack

page read and write

4900000

heap

page read and write

DE6000

heap

page read and write

4AD0000

direct allocation

page execute and read and write

648000

unkown

page execute and read and write

4AC0000

direct allocation

page execute and read and write

D72000

heap

page read and write

5E4000

unkown

page execute and write copy

2720000

direct allocation

page read and write

BA4000

heap

page read and write

D67000

heap

page read and write

533000

unkown

page execute and read and write

413E000

stack

page read and write

4950000

direct allocation

page read and write

293E000

stack

page read and write

BA4000

heap

page read and write

CFA000

heap

page read and write

2720000

direct allocation

page read and write

4950000

direct allocation

page read and write

2737000

heap

page read and write

4AD0000

direct allocation

page execute and read and write

4AD0000

direct allocation

page execute and read and write

BA4000

heap

page read and write

3AFE000

stack

page read and write

4E8F000

stack

page read and write

DAA000

heap

page read and write

44C1000

heap

page read and write

4A8E000

stack

page read and write

4D4D000

stack

page read and write

4DD2000

trusted library allocation

page read and write

639000

unkown

page execute and write copy

4DC4000

trusted library allocation

page read and write

2ABE000

stack

page read and write

502000

unkown

page execute and write copy

4940000

remote allocation

page read and write

528000

unkown

page execute and read and write

5F8000

unkown

page execute and read and write

551E000

stack

page read and write

BA4000

heap

page read and write

5BA000

unkown

page execute and write copy

3C3E000

stack

page read and write

607000

unkown

page execute and read and write

2BBF000

stack

page read and write

BA4000

heap

page read and write

568F000

stack

page read and write

44C1000

heap

page read and write

CF0000

heap

page read and write

347F000

stack

page read and write

633000

unkown

page execute and write copy

26CE000

stack

page read and write

2720000

direct allocation

page read and write

3A0000

unkown

page execute and read and write

51E000

unkown

page execute and read and write

3BFF000

stack

page read and write

BA4000

heap

page read and write

51D000

unkown

page execute and write copy

5B9000

unkown

page execute and read and write

D6F000

heap

page read and write

632000

unkown

page execute and read and write

2F7F000

stack

page read and write

36FF000

stack

page read and write

BA4000

heap

page read and write

30FE000

stack

page read and write

EEF000

stack

page read and write

DD7000

heap

page read and write

323E000

stack

page read and write

581000

unkown

page execute and write copy

BA4000

heap

page read and write

DE6000

heap

page read and write

2A7F000

stack

page read and write

528000

unkown

page execute and write copy

D2F000

heap

page read and write

D73000

heap

page read and write

BA4000

heap

page read and write

3FBF000

stack

page read and write

BA4000

heap

page read and write

632000

unkown

page execute and write copy

44BF000

stack

page read and write

4C0D000

stack

page read and write

3EBE000

stack

page read and write

3D7E000

stack

page read and write

39BE000

stack

page read and write

44C1000

heap

page read and write

31FF000

stack

page read and write

D3F000

heap

page read and write

2D3E000

stack

page read and write

DD3000

heap

page read and write

DD8000

heap

page read and write

2720000

direct allocation

page read and write

5DA000

unkown

page execute and write copy

58B000

unkown

page execute and read and write

53B000

unkown

page execute and read and write

4AD000

unkown

page execute and read and write

35BF000

stack

page read and write

3E7F000

stack

page read and write

D82000

heap

page read and write

498C000

stack

page read and write

340000

unkown

page readonly

5B4000

unkown

page execute and write copy

4950000

direct allocation

page read and write

CEE000

stack

page read and write

35FE000

stack

page read and write

59E000

unkown

page execute and read and write

2720000

direct allocation

page read and write

5BD000

unkown

page execute and read and write

53C0000

trusted library allocation

page read and write

283F000

stack

page read and write

5580000

heap

page read and write

500D000

stack

page read and write

BA4000

heap

page read and write

5C6000

unkown

page execute and read and write

6DB000

stack

page read and write

4AF0000

direct allocation

page execute and read and write

5C4000

unkown

page execute and write copy

56E000

unkown

page execute and read and write

4AE0000

direct allocation

page execute and read and write

53C6000

trusted library allocation

page read and write

2720000

direct allocation

page read and write

4AD0000

direct allocation

page execute and read and write

BA4000

heap

page read and write

BA4000

heap

page read and write

517E000

stack

page read and write

2720000

direct allocation

page read and write

5BC000

unkown

page execute and write copy

53BE000

stack

page read and write

DCC000

heap

page read and write

2E7E000

stack

page read and write

BA4000

heap

page read and write

2720000

direct allocation

page read and write

A30000

heap

page read and write

5A8000

unkown

page execute and write copy

44C1000

heap

page read and write

2720000

direct allocation

page read and write

5BB000

unkown

page execute and read and write

3A0000

unkown

page execute and write copy

2730000

heap

page read and write

BA4000

heap

page read and write

45C0000

trusted library allocation

page read and write

CAE000

stack

page read and write

3ABF000

stack

page read and write

273D000

heap

page read and write

4AD0000

direct allocation

page execute and read and write

4ECE000

stack

page read and write

DDD000

heap

page read and write

585000

unkown

page execute and read and write

51B000

unkown

page execute and read and write

4FF000

unkown

page execute and read and write

DC9000

heap

page read and write

43BE000

stack

page read and write

DCB000

heap

page read and write

53C000

unkown

page execute and write copy

423F000

stack

page read and write

387E000

stack

page read and write

DE6000

heap

page read and write

649000

unkown

page execute and write copy

648000

unkown

page execute and write copy

5E5000

unkown

page execute and read and write

DE6000

heap

page read and write

4D8D000

stack

page read and write

2CFF000

stack

page read and write

52BE000

stack

page read and write

3AC000

unkown

page execute and write copy

639000

unkown

page execute and write copy

5F7000

unkown

page execute and write copy

53D000

unkown

page execute and read and write

40FF000

stack

page read and write

There are 239 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe