Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.5382012064967485
Filename:	file.exe
Filesize:	2963456
MD5:	e6f6b8cea53e7f4747e424f1617f3393
SHA1:	59c199c720a2e106822defba032c2eb90f9699da
SHA256:	95b1cfb989f22fc872400433acaa047fc01be081433137307523e4d116390598
SHA512:	dbf6884718d3d08964897c5e002a7316081a6d38d4b68dc0220863eacc9a6f6108af7fa7dbfcac11a6a5008cc79a61db8d73daa628e7c3f6581c5973b7c66d3d
SSDEEP:	49152:gWMmSUIIBPsnQjJqwBowbUX8Xg8WBYHbfoPjivt:gmSUIIBPsnYJ1BoeUXWg8X7wLiv
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................0...........@...........................0.....Y+....@.................................W...k..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Found malware configuration	AV Detection
Hides threads from debuggers	Anti Debugging
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Detected potential crypto function	System Summary	Archive Collected Data
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found potential string decryption / allocating functions	System Summary
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_6a2bb52a-8ce2-4c81-ac10-6151ce28c804\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_6a2bb52a-8ce2-4c81-ac10-6151ce28c804\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.0288199864711824
Encrypted:	false
Ssdeep:	192:Ph6Gq5MszGvkQPlktS0BU/fI3juFjnzuiFdZ24IO8TVB:/1kQN6ZBU/YjozuiFdY4IO8X
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA12D.tmp.dmp

Mini DuMP crash report, 15 streams, Mon Oct 14 04:52:09 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA12D.tmp.dmp
Category:	dropped
Dump:	WERA12D.tmp.dmp.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Mon Oct 14 04:52:09 2024, 0x1205a4 type
Entropy:	1.47926559278303
Encrypted:	false
Ssdeep:	768:YnVRABtr2f0k8qFYIBbki7r/qBt03SonQSXCwFvj8Y:YVI8KIBbXqBt0ionSwFh
Size:	282316
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA787.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA787.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERA787.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6880305510308826
Encrypted:	false
Ssdeep:	192:R6l7wVeJFCI6f6Y9MSU9rVgmfBGedprm89bQusfvsAQm:R6lXJH6f6YWSU9rVgmfZPQtfz
Size:	8292
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA814.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA814.tmp.xml
Category:	dropped
Dump:	WERA814.tmp.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.42167074576792
Encrypted:	false
Ssdeep:	48:cvIwWl8zscJg77aI99SWpW8VY/Ym8M4JjlF4+q8CtkiOTd:uIjfaI7rz7V/JsdjOTd
Size:	4542
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.465308991916192
Encrypted:	false
Ssdeep:	6144:AIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSb3:FXD94+WlLZMM6YFH1+3
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6988
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	2963456
MD5:	E6F6B8CEA53E7F4747E424F1617F3393
Time:	00:52:02
Date:	14/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x530000
Modulesize:	3203072
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1924

Details

Is windows:	true
Is dropped:	false
PID:	3260
Target ID:	4
Parent PID:	6988
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1924
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	00:52:08
Date:	14/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x9d0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1936

Details

Is windows:	true
Is dropped:	false
PID:	5688
Target ID:	5
Parent PID:	6988
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1936
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	00:52:08
Date:	14/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x9d0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://sergei-esenin.com/

unknown

studennotediw.store

dissapoiznw.store

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

https://steamcommunity.com:443/profiles/76561199724331900

unknown

eaglepawnoy.store

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

https://sergei-esenin.com:443/api

unknown

https://sergei-esenin.com/0

unknown

https://sergei-esenin.com/apiA

unknown

bathdoomgaz.store

https://sergei-esenin.com/apirt.c

unknown

https://sergei-esenin.com/api0

unknown

clearancek.site

spirittunek.store

licendfilteo.site

https://sergei-esenin.com/C:

unknown

https://www.cloudflare.com/learning/access-management/phishing-attack/

unknown

https://player.vimeo.com

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp

unknown

https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f

unknown

https://bathdoomgaz.store:443/api

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://www.gstatic.cn/recaptcha/

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://www.youtube.com

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://www.google.com

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://eaglepawnoy.store:443/apiP

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi

unknown

https://s.ytimg.com;

unknown

https://steam.tv/

unknown

https://licendfilteo.site:443/api

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

https://sketchfab.com

unknown

https://lv.queniujq.cn

unknown

https://www.youtube.com/

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://www.cloudflare.com/learning/access-manag

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://www.google.com/recaptcha/

unknown

https://checkout.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://avatars.akamai.steamstatic

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://store.steampowered.com/;

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english

unknown

https://help.steampowered.com/en/

unknown

https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://community.akamai.steamstatic.com/

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1

unknown

https://recaptcha.net/recaptcha/;

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

https://dissapoiznw.store:443/api

unknown

https://steamcommunity.com/discussions/

unknown

https://store.steampowered.com/stats/

unknown

https://medal.tv

unknown

https://broadcast.st.dl.eccdnx.com

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e

unknown

https://clearancek.site:443/api

unknown

https://steamcommunity.com/workshop/

unknown

https://login.steampowered.com/

unknown

https://store.steampowered.com/legal/

unknown

https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

https://recaptcha.net

unknown

http://upx.sf.net

unknown

https://store.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

https://studennotediw.store:443/api

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

http://127.0.0.1:27060

unknown

https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

sergei-esenin.com

104.21.53.8

eaglepawnoy.store

unknown

bathdoomgaz.store

unknown

spirittunek.store

unknown

licendfilteo.site

unknown

studennotediw.store

unknown

mobbipenju.store

unknown

clearancek.site

unknown

dissapoiznw.store

unknown

241.42.69.40.in-addr.arpa

unknown

There are 1 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

104.21.53.8

sergei-esenin.com

United States

Details

IP:	104.21.53.8
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sergei-esenin.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProgramId

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

FileId

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LowerCaseLongPath

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LongPathHash

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Name

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

OriginalFileName

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Publisher

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Version

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinFileVersion

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinaryType

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProductName

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProductVersion

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LinkDate

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinProductVersion

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

AppxPackageFullName

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

AppxPackageRelativeId

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Size

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Language

\REGISTRY\A\{e91c8de6-98e2-bd78-c7f6-f4ad81b75974}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

There are 11 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

531000

unkown

page execute and read and write

35BF000

stack

page read and write

3C3E000

stack

page read and write

4A01000

heap

page read and write

514E000

stack

page read and write

7C8000

unkown

page execute and write copy

7F3000

unkown

page execute and read and write

423F000

stack

page read and write

49F0000

direct allocation

page read and write

12C7000

heap

page read and write

820000

unkown

page execute and write copy

4A01000

heap

page read and write

49F0000

direct allocation

page read and write

49F0000

direct allocation

page read and write

7C9000

unkown

page execute and read and write

464E000

stack

page read and write

49F0000

direct allocation

page read and write

5010000

direct allocation

page execute and read and write

5322000

trusted library allocation

page read and write

530000

unkown

page read and write

596F000

stack

page read and write

7A9000

unkown

page execute and read and write

488F000

stack

page read and write

7D1000

unkown

page execute and write copy

4A01000

heap

page read and write

5830000

trusted library allocation

page read and write

4A01000

heap

page read and write

1293000

heap

page read and write

51F7000

trusted library allocation

page read and write

4FCF000

stack

page read and write

538F000

stack

page read and write

70F000

unkown

page execute and write copy

12C7000

heap

page read and write

373E000

stack

page read and write

791000

unkown

page execute and write copy

2FBF000

stack

page read and write

4A01000

heap

page read and write

49F0000

direct allocation

page read and write

568E000

stack

page read and write

49F0000

direct allocation

page read and write

59B000

unkown

page execute and read and write

49F0000

direct allocation

page read and write

474F000

stack

page read and write

7A2000

unkown

page execute and write copy

10CE000

stack

page read and write

12D7000

heap

page read and write

76F000

unkown

page execute and write copy

43BE000

stack

page read and write

4A01000

heap

page read and write

3FBF000

stack

page read and write

554E000

stack

page read and write

1318000

heap

page read and write

49F0000

direct allocation

page read and write

72E000

unkown

page execute and write copy

78E000

unkown

page execute and write copy

3D7E000

stack

page read and write

120D000

stack

page read and write

2CB7000

heap

page read and write

2C2C000

stack

page read and write

501D000

stack

page read and write

4A01000

heap

page read and write

3E7F000

stack

page read and write

3ABF000

stack

page read and write

413E000

stack

page read and write

478E000

stack

page read and write

49D0000

heap

page read and write

3AFE000

stack

page read and write

39BE000

stack

page read and write

4E7D000

stack

page read and write

130D000

heap

page read and write

2CAE000

stack

page read and write

52F8000

trusted library allocation

page read and write

49F0000

direct allocation

page read and write

129E000

heap

page read and write

7AA000

unkown

page execute and write copy

825000

unkown

page execute and read and write

323E000

stack

page read and write

44BF000

stack

page read and write

7A1000

unkown

page execute and read and write

59A000

unkown

page execute and write copy

131D000

heap

page read and write

4B00000

trusted library allocation

page read and write

83A000

unkown

page execute and write copy

810000

unkown

page execute and write copy

82B000

unkown

page execute and write copy

82B000

unkown

page execute and write copy

124E000

stack

page read and write

1080000

heap

page read and write

4A00000

heap

page read and write

6F2000

unkown

page execute and read and write

5010000

direct allocation

page execute and read and write

347F000

stack

page read and write

125A000

heap

page read and write

1289000

heap

page read and write

427E000

stack

page read and write

49F0000

direct allocation

page read and write

144E000

stack

page read and write

49F0000

direct allocation

page read and write

4E90000

direct allocation

page read and write

741000

unkown

page execute and write copy

1332000

heap

page read and write

530000

unkown

page readonly

5020000

direct allocation

page execute and read and write

6F4000

unkown

page execute and write copy

5010000

direct allocation

page execute and read and write

1298000

heap

page read and write

820000

unkown

page execute and write copy

3FFD000

stack

page read and write

7D3000

unkown

page execute and read and write

54CF000

stack

page read and write

4FF0000

direct allocation

page execute and read and write

12B3000

heap

page read and write

4A01000

heap

page read and write

437F000

stack

page read and write

460F000

stack

page read and write

1030000

heap

page read and write

4ECC000

stack

page read and write

1085000

heap

page read and write

590000

unkown

page execute and write copy

4E90000

direct allocation

page read and write

83A000

unkown

page execute and read and write

35FE000

stack

page read and write

718000

unkown

page execute and write copy

4A01000

heap

page read and write

704000

unkown

page execute and read and write

387E000

stack

page read and write

1250000

heap

page read and write

773000

unkown

page execute and read and write

52FB000

trusted library allocation

page read and write

5860000

heap

page read and write

531000

unkown

page execute and write copy

53CE000

stack

page read and write

5040000

direct allocation

page execute and read and write

4E90000

direct allocation

page read and write

5030000

direct allocation

page execute and read and write

778000

unkown

page execute and read and write

4FE0000

direct allocation

page execute and read and write

49F0000

direct allocation

page read and write

79F000

unkown

page execute and write copy

59C000

unkown

page execute and write copy

450E000

stack

page read and write

57FE000

stack

page read and write

4A01000

heap

page read and write

49F0000

direct allocation

page read and write

564F000

stack

page read and write

11CE000

stack

page read and write

4A01000

heap

page read and write

44C0000

heap

page read and write

1340000

heap

page read and write

12B3000

heap

page read and write

1326000

heap

page read and write

5313000

trusted library allocation

page read and write

2CB0000

heap

page read and write

36FF000

stack

page read and write

F50000

heap

page read and write

48CE000

stack

page read and write

4A01000

heap

page read and write

1340000

heap

page read and write

397F000

stack

page read and write

383F000

stack

page read and write

5010000

direct allocation

page execute and read and write

4A01000

heap

page read and write

3EBE000

stack

page read and write

49F0000

direct allocation

page read and write

4A01000

heap

page read and write

719000

unkown

page execute and read and write

130F000

heap

page read and write

337E000

stack

page read and write

54E0000

remote allocation

page read and write

786000

unkown

page execute and read and write

5010000

direct allocation

page execute and read and write

30BF000

stack

page read and write

31FF000

stack

page read and write

128F000

heap

page read and write

790000

unkown

page execute and read and write

774000

unkown

page execute and write copy

EFB000

stack

page read and write

780000

unkown

page execute and write copy

72F000

unkown

page execute and read and write

4A01000

heap

page read and write

578E000

stack

page read and write

54E0000

remote allocation

page read and write

5000000

direct allocation

page execute and read and write

129E000

heap

page read and write

792000

unkown

page execute and read and write

4A01000

heap

page read and write

5051000

trusted library allocation

page read and write

333F000

stack

page read and write

590000

unkown

page execute and read and write

2CBD000

heap

page read and write

2DBF000

stack

page read and write

5308000

trusted library allocation

page read and write

524D000

stack

page read and write

7B3000

unkown

page execute and read and write

3D3F000

stack

page read and write

54E0000

remote allocation

page read and write

4A01000

heap

page read and write

2C6E000

stack

page read and write

813000

unkown

page execute and write copy

2EBE000

stack

page read and write

3BFF000

stack

page read and write

4A01000

heap

page read and write

49CF000

stack

page read and write

BFB000

stack

page read and write

5010000

direct allocation

page execute and read and write

125E000

heap

page read and write

40FE000

stack

page read and write

528E000

stack

page read and write

826000

unkown

page execute and write copy

30FE000

stack

page read and write

70F000

unkown

page execute and read and write

34BE000

stack

page read and write

754000

unkown

page execute and read and write

There are 203 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe