Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\hesaphareketi-015232024.SCR.exe

"C:\Users\user\Desktop\hesaphareketi-015232024.SCR.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2444
Target ID:	0
Parent PID:	3504
Name:	hesaphareketi-015232024.SCR.exe
Path:	C:\Users\user\Desktop\hesaphareketi-015232024.SCR.exe
Commandline:	"C:\Users\user\Desktop\hesaphareketi-015232024.SCR.exe"
Size:	329216
MD5:	14F0B309C14C5F5E75C9A1D95967318B
Time:	09:14:55
Date:	23/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x270000
Modulesize:	352256
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2796
Target ID:	2
Parent PID:	2444
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	09:14:55
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x670000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: RegAsm connects to smtp port	Networking
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

Details

Name:	https://api.ipify.org/
IP:	172.67.74.152
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://r3.o.lencr.org0

unknown

Details

Name:	http://r3.o.lencr.org0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	RegAsm.exe, 00000002.00000002.3744691064.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000003027000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3753167648.00000000091E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748493743.0000000005D29000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743920591.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743534682.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748493743.0000000005D10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743830230.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743830230.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748385053.0000000005D00000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\hesaphareketi-015232024.SCR.exe
Source:	hesaphareketi-015232024.SCR.exe, 00000000.00000002.1273273213.0000000003619000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3734809898.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\hesaphareketi-015232024.SCR.exe
Source:	hesaphareketi-015232024.SCR.exe, 00000000.00000002.1273273213.0000000003619000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3734809898.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://x1.c.lencr.org/0

unknown

Details

Name:	http://x1.c.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	RegAsm.exe, 00000002.00000002.3748765410.0000000005D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748813573.0000000005DB1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000003027000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748493743.0000000005D29000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743920591.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3753745047.0000000009263000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3752707810.0000000009190000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3753319677.00000000091F5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748878534.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748493743.0000000005D10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743830230.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743534682.0000000000F04000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743830230.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748385053.0000000005D00000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.i.lencr.org/0

unknown

Details

Name:	http://x1.i.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	RegAsm.exe, 00000002.00000002.3748765410.0000000005D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748813573.0000000005DB1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000003027000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748493743.0000000005D29000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743920591.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3753745047.0000000009263000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3752707810.0000000009190000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3753319677.00000000091F5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748878534.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748493743.0000000005D10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743830230.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743534682.0000000000F04000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743830230.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748385053.0000000005D00000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://tqpas.com

unknown

Details

Name:	http://tqpas.com
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	RegAsm.exe, 00000002.00000002.3744691064.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000003027000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://r3.i.lencr.org/0

unknown

Details

Name:	http://r3.i.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	RegAsm.exe, 00000002.00000002.3744691064.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000003027000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3753167648.00000000091E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748493743.0000000005D29000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743920591.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743534682.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748493743.0000000005D10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743830230.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3743830230.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3744691064.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3748385053.0000000005D00000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

tqpas.com

91.235.116.231

Details

Name:	tqpas.com
IP:	91.235.116.231
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Sigma detected: RegAsm connects to smtp port	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

91.235.116.231

tqpas.com

Romania

Details

IP:	91.235.116.231
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Romania
Countrycode:	ROU
ASN number:	51177
ASN name:	THCPROJECTSRO
Private:	false
Domain:	tqpas.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: RegAsm connects to smtp port	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

3619000

trusted library allocation

page read and write

2AEB000

trusted library allocation

page read and write

8F8000

heap

page read and write

2E01000

trusted library allocation

page read and write

8D0000

heap

page read and write

5D9F000

heap

page read and write

4AF0000

trusted library allocation

page read and write

2C30000

trusted library allocation

page read and write

27C0000

heap

page execute and read and write

6AA0000

heap

page read and write

2F5C000

trusted library allocation

page read and write

8DE000

heap

page read and write

4AA0000

trusted library allocation

page read and write

788F000

stack

page read and write

5174000

trusted library allocation

page read and write

5DB1000

heap

page read and write

3027000

trusted library allocation

page read and write

4FB0000

heap

page execute and read and write

6D89000

heap

page read and write

91A0000

heap

page read and write

63E6000

trusted library allocation

page read and write

C55000

trusted library allocation

page execute and read and write

92AF000

heap

page read and write

6CFB000

stack

page read and write

F0F000

heap

page read and write

D58C000

stack

page read and write

5D09000

heap

page read and write

905000

heap

page read and write

7A7000

heap

page read and write

557C000

stack

page read and write

91C0000

heap

page read and write

3B49000

trusted library allocation

page read and write

3611000

trusted library allocation

page read and write

2AE7000

trusted library allocation

page read and write

91E2000

heap

page read and write

4A81000

trusted library allocation

page read and write

C42000

trusted library allocation

page read and write

64E0000

trusted library allocation

page execute and read and write

92D1000

heap

page read and write

CD5000

heap

page read and write

2890000

heap

page read and write

35A000

stack

page read and write

5770000

heap

page read and write

923F000

heap

page read and write

2AD2000

trusted library allocation

page read and write

CC0000

trusted library allocation

page execute and read and write

AD6000

trusted library allocation

page execute and read and write

8FB000

heap

page read and write

2816000

trusted library allocation

page read and write

260E000

stack

page read and write

664C000

stack

page read and write

2C43000

trusted library allocation

page read and write

4AC0000

trusted library allocation

page read and write

24F0000

trusted library allocation

page execute and read and write

4F00000

trusted library allocation

page execute and read and write

F61000

heap

page read and write

6A90000

heap

page read and write

299E000

stack

page read and write

4A60000

trusted library allocation

page read and write

C57000

trusted library allocation

page execute and read and write

EAF000

stack

page read and write

4F30000

trusted library allocation

page read and write

272000

unkown

page readonly

7B0000

heap

page read and write

EE90000

heap

page read and write

8C0000

trusted library allocation

page read and write

4A6E000

trusted library allocation

page read and write

2E03000

trusted library allocation

page read and write

2E27000

trusted library allocation

page read and write

C0E000

stack

page read and write

8B4000

trusted library allocation

page read and write

5D29000

heap

page read and write

2660000

trusted library allocation

page read and write

2BFE000

trusted library allocation

page read and write

2B5D000

trusted library allocation

page read and write

AF0000

heap

page read and write

2A9E000

stack

page read and write

7E6000

heap

page read and write

4F9B000

stack

page read and write

261E000

stack

page read and write

611E000

stack

page read and write

F44000

heap

page read and write

3617000

trusted library allocation

page read and write

5D98000

heap

page read and write

2B51000

trusted library allocation

page read and write

6400000

trusted library allocation

page execute and read and write

5CEA000

heap

page read and write

780000

heap

page read and write

5160000

heap

page read and write

470B000

stack

page read and write

527C000

stack

page read and write

5794000

heap

page read and write

6880000

trusted library allocation

page read and write

F11000

heap

page read and write

6BF0000

heap

page read and write

2B9B000

trusted library allocation

page read and write

27BC000

stack

page read and write

625E000

stack

page read and write

4F5E000

stack

page read and write

8C3000

trusted library allocation

page read and write

75BE000

stack

page read and write

2834000

trusted library allocation

page read and write

5DBF000

heap

page read and write

55FD000

stack

page read and write

9192000

heap

page read and write

4B20000

heap

page execute and read and write

4A7E000

trusted library allocation

page read and write

5DA8000

heap

page read and write

77FE000

stack

page read and write

77E000

stack

page read and write

FC9000

heap

page read and write

5620000

trusted library allocation

page read and write

2811000

trusted library allocation

page read and write

2C0A000

trusted library allocation

page read and write

828B000

stack

page read and write

2D31000

trusted library allocation

page read and write

76FE000

stack

page read and write

922C000

heap

page read and write

6860000

heap

page read and write

5000000

heap

page read and write

4FA0000

heap

page read and write

6890000

trusted library allocation

page execute and read and write

561D000

trusted library allocation

page read and write

5CE0000

heap

page read and write

24EB000

stack

page read and write

2CF8000

trusted library allocation

page read and write

51A0000

trusted library allocation

page read and write

5DDB000

heap

page read and write

400000

remote allocation

page execute and read and write

71A000

stack

page read and write

4ABF000

trusted library allocation

page read and write

26BB000

stack

page read and write

4FB0000

heap

page read and write

C46000

trusted library allocation

page execute and read and write

6F62000

trusted library allocation

page read and write

CD0000

heap

page read and write

547C000

stack

page read and write

92CF000

heap

page read and write

2DD7000

trusted library allocation

page read and write

4DA0000

trusted library section

page read and write

26E8000

trusted library allocation

page read and write

4FD0000

heap

page read and write

9263000

heap

page read and write

3003000

trusted library allocation

page read and write

4AB8000

trusted library allocation

page read and write

2ADF000

trusted library allocation

page read and write

2B4D000

trusted library allocation

page read and write

4F40000

trusted library allocation

page execute and read and write

9190000

heap

page read and write

CBE000

stack

page read and write

26D0000

trusted library allocation

page read and write

270000

unkown

page readonly

5CE6000

heap

page read and write

639E000

stack

page read and write

73E000

stack

page read and write

C4A000

trusted library allocation

page execute and read and write

7382000

heap

page read and write

4B9D000

stack

page read and write

91CC000

heap

page read and write

2CAD000

trusted library allocation

page read and write

AE7000

trusted library allocation

page execute and read and write

67DC000

stack

page read and write

5CDD000

stack

page read and write

7E0000

heap

page read and write

8D8000

heap

page read and write

C2D000

trusted library allocation

page execute and read and write

C40000

trusted library allocation

page read and write

4BF3000

heap

page read and write

4AB0000

trusted library allocation

page read and write

2AA1000

trusted library allocation

page read and write

2611000

trusted library allocation

page read and write

63E0000

trusted library allocation

page read and write

5608000

trusted library allocation

page read and write

AF9000

stack

page read and write

7C7000

heap

page read and write

7F370000

trusted library allocation

page execute and read and write

AE2000

trusted library allocation

page read and write

2400000

heap

page read and write

BFF000

stack

page read and write

92A0000

heap

page read and write

9195000

heap

page read and write

2ADB000

trusted library allocation

page read and write

2822000

trusted library allocation

page read and write

AD0000

trusted library allocation

page read and write

4AD0000

trusted library allocation

page read and write

2D48000

trusted library allocation

page read and write

C20000

trusted library allocation

page read and write

2B49000

trusted library allocation

page read and write

629E000

stack

page read and write

8CD000

trusted library allocation

page execute and read and write

4EF0000

trusted library allocation

page read and write

91F5000

heap

page read and write

66DC000

stack

page read and write

ED0000

heap

page read and write

3D0000

heap

page read and write

5070000

heap

page read and write

747E000

stack

page read and write

2C0E000

trusted library allocation

page read and write

8A0000

trusted library allocation

page read and write

50DE000

stack

page read and write

757E000

stack

page read and write

4D9E000

stack

page read and write

5080000

heap

page read and write

64F0000

trusted library allocation

page read and write

64DC000

stack

page read and write

63F0000

trusted library allocation

page read and write

23B0000

trusted library allocation

page read and write

281D000

trusted library allocation

page read and write

2500000

heap

page execute and read and write

790000

heap

page read and write

265B000

stack

page read and write

2B59000

trusted library allocation

page read and write

4F1C000

stack

page read and write

8B3000

trusted library allocation

page execute and read and write

F51000

heap

page read and write

4FC0000

heap

page read and write

27FE000

trusted library allocation

page read and write

5627000

trusted library allocation

page read and write

3B29000

trusted library allocation

page read and write

5DC1000

heap

page read and write

4A90000

trusted library allocation

page read and write

2B17000

trusted library allocation

page read and write

7A0000

heap

page read and write

C30000

trusted library allocation

page read and write

537E000

stack

page read and write

3AC9000

trusted library allocation

page read and write

5D10000

heap

page read and write

668E000

stack

page read and write

2EBA000

trusted library allocation

page read and write

4BF0000

heap

page read and write

91D5000

heap

page read and write

2B75000

trusted library allocation

page read and write

4FFC000

stack

page read and write

6D80000

heap

page read and write

91A4000

heap

page read and write

ADA000

trusted library allocation

page execute and read and write

280E000

trusted library allocation

page read and write

5600000

trusted library allocation

page read and write

AEB000

trusted library allocation

page execute and read and write

27D0000

trusted library allocation

page read and write

268C000

trusted library allocation

page read and write

C70000

trusted library allocation

page read and write

9278000

heap

page read and write

2EE4000

trusted library allocation

page read and write

4F9C000

stack

page read and write

2AE3000

trusted library allocation

page read and write

F9B000

heap

page read and write

C10000

trusted library allocation

page read and write

2802000

trusted library allocation

page read and write

5D92000

heap

page read and write

780000

heap

page read and write

8B0000

trusted library allocation

page read and write

7B5000

heap

page read and write

4A86000

trusted library allocation

page read and write

4A92000

trusted library allocation

page read and write

4A50000

trusted library allocation

page read and write

23FE000

stack

page read and write

5074000

heap

page read and write

F04000

heap

page read and write

FBF000

heap

page read and write

649F000

stack

page read and write

76BE000

stack

page read and write

2DEA000

trusted library allocation

page read and write

5DB9000

heap

page read and write

27FB000

trusted library allocation

page read and write

4BDE000

stack

page read and write

615E000

stack

page read and write

C23000

trusted library allocation

page execute and read and write

68A0000

heap

page read and write

4FC5000

heap

page read and write

3C0000

heap

page read and write

27F0000

trusted library allocation

page read and write

8BD000

trusted library allocation

page execute and read and write

914000

heap

page read and write

4EE0000

heap

page read and write

2FD7000

trusted library allocation

page read and write

6D90000

trusted library allocation

page read and write

2840000

trusted library allocation

page read and write

3AA1000

trusted library allocation

page read and write

EDB000

heap

page read and write

9235000

heap

page read and write

5D00000

heap

page read and write

27E0000

trusted library allocation

page read and write

C24000

trusted library allocation

page read and write

4A64000

trusted library allocation

page read and write

4A6B000

trusted library allocation

page read and write

4F10000

trusted library section

page read and write

C5B000

trusted library allocation

page execute and read and write

2F0A000

trusted library allocation

page read and write

55BC000

stack

page read and write

7C0000

heap

page read and write

2EE6000

trusted library allocation

page read and write

4FA0000

trusted library section

page readonly

5760000

heap

page read and write

ACE000

stack

page read and write

5170000

trusted library allocation

page read and write

91B9000

heap

page read and write

924A000

heap

page read and write

C3D000

trusted library allocation

page execute and read and write

2830000

trusted library allocation

page read and write

EB0000

heap

page read and write

63DD000

stack

page read and write

5EDD000

stack

page read and write

6F8000

stack

page read and write

99B000

heap

page read and write

9200000

heap

page read and write

3B09000

trusted library allocation

page read and write

5610000

trusted library allocation

page read and write

C52000

trusted library allocation

page read and write

4A8D000

trusted library allocation

page read and write

26C0000

trusted library allocation

page read and write

2B55000

trusted library allocation

page read and write

2FEB000

trusted library allocation

page read and write

There are 304 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
hesaphareketi-015232024.SCR.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthesaphareketi-015232024.SCR.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
hesaphareketi-015232024.SCR.exe