Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

hesaphareketi-.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.960231532527883
Filename:	hesaphareketi-.exe
Filesize:	939008
MD5:	6ee05d4dd363d273ce38c497b1238db1
SHA1:	7c4f86c5edfe9cf5d1955c4af44cd8d0a25a0f0a
SHA256:	1a88cd1b38768b690166ed6a6647ca7e975a68b7112c0e938cdfaaea8d509c9e
SHA512:	db37e14f851f0d2de99cff71a720b72f12db0b388c60f0f89e83f2493364bf8bc72eb2a98dcae065c532a2541fc42ddb199d679b1dab91c6bc426925622e3709
SSDEEP:	24576:6yK3B4Tw/bf4vQJTg4i0pMyR++/PhNt96WVp:6N94yU4i0WyD/36WV
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Nf..............0..J...........h... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large strings	System Summary	System Network Configuration Discovery
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to register a low level keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Detected potential crypto function	System Summary	Archive Collected Data
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation System Information Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi-.exe.log
Category:	dropped
Dump:	hesaphareketi-.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\hesaphareketi-.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\hesaphareketi-.exe

"C:\Users\user\Desktop\hesaphareketi-.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6832
Target ID:	0
Parent PID:	2580
Name:	hesaphareketi-.exe
Path:	C:\Users\user\Desktop\hesaphareketi-.exe
Commandline:	"C:\Users\user\Desktop\hesaphareketi-.exe"
Size:	939008
MD5:	6EE05D4DD363D273CE38C497B1238DB1
Time:	14:26:09
Date:	23/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x440000
Modulesize:	966656
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\hesaphareketi-.exe

"C:\Users\user\Desktop\hesaphareketi-.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3496
Target ID:	2
Parent PID:	6832
Name:	hesaphareketi-.exe
Path:	C:\Users\user\Desktop\hesaphareketi-.exe
Commandline:	"C:\Users\user\Desktop\hesaphareketi-.exe"
Size:	939008
MD5:	6EE05D4DD363D273CE38C497B1238DB1
Time:	14:26:12
Date:	23/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x730000
Modulesize:	966656
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://ftp.normagroup.com.tr

unknown

https://api.ipify.org/

104.26.12.205

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

https://account.dyn.com/

unknown

http://www.fontbureau.com/designers?

unknown

http://www.tiro.com

unknown

https://github.com/romenrg/genetic-startups

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

https://api.ipify.org/t

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

https://api.ipify.org

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.sakkal.com

unknown

http://tempuri.org/DataSet1.xsd#tableLayoutPanel1

unknown

There are 23 hidden URLs, click here to show them.

Domains

Name

Malicious

ftp.normagroup.com.tr

104.247.165.99

Details

Name:	ftp.normagroup.com.tr
IP:	104.247.165.99
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.12.205

Details

Name:	api.ipify.org
IP:	104.26.12.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

104.247.165.99

ftp.normagroup.com.tr

United States

Details

IP:	104.247.165.99
TargetID:	2
Current Path:	C:\Users\user\Desktop\hesaphareketi-.exe
Country:	United States
Countrycode:	USA
ASN number:	8100
ASN name:	ASN-QUADRANET-GLOBALUS
Private:	false
Domain:	ftp.normagroup.com.tr

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol

104.26.12.205

api.ipify.org

United States

Details

IP:	104.26.12.205
TargetID:	2
Current Path:	C:\Users\user\Desktop\hesaphareketi-.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi-_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3879000

trusted library allocation

page read and write

3AE6000

trusted library allocation

page read and write

2B91000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

2BB9000

trusted library allocation

page read and write

4EA0000

trusted library allocation

page execute and read and write

4D20000

trusted library allocation

page read and write

8F7000

stack

page read and write

10338000

trusted library allocation

page read and write

B79000

heap

page read and write

10BC000

stack

page read and write

9A9000

stack

page read and write

D24000

heap

page read and write

84F9000

trusted library allocation

page read and write

B16000

heap

page read and write

1100000

trusted library allocation

page read and write

84F6000

trusted library allocation

page read and write

4DB0000

heap

page read and write

5830000

heap

page read and write

CE5000

heap

page read and write

572C000

stack

page read and write

1036F000

trusted library allocation

page read and write

9EFE000

stack

page read and write

2B7F000

trusted library allocation

page read and write

E20000

trusted library allocation

page read and write

2900000

trusted library allocation

page read and write

4CEE000

trusted library allocation

page read and write

E00000

trusted library allocation

page read and write

750E000

stack

page read and write

28B1000

trusted library allocation

page read and write

4D40000

trusted library allocation

page read and write

50FE000

stack

page read and write

10351000

trusted library allocation

page read and write

A5E000

stack

page read and write

55EE000

stack

page read and write

5250000

trusted library section

page read and write

CB8000

heap

page read and write

1031B000

trusted library allocation

page read and write

1132000

trusted library allocation

page read and write

A70000

heap

page read and write

FB7000

heap

page read and write

11AF6000

trusted library allocation

page read and write

5750000

trusted library allocation

page read and write

4FED000

trusted library allocation

page read and write

2A10000

trusted library allocation

page read and write

635C000

heap

page read and write

C6E000

stack

page read and write

E30000

trusted library allocation

page read and write

631B000

heap

page read and write

D2F000

heap

page read and write

113B000

trusted library allocation

page execute and read and write

CCE000

heap

page read and write

3B69000

trusted library allocation

page read and write

C70000

heap

page read and write

1126000

trusted library allocation

page execute and read and write

1035B000

trusted library allocation

page read and write

524E000

stack

page read and write

604C000

stack

page read and write

678F000

stack

page read and write

2E48000

trusted library allocation

page read and write

442000

unkown

page readonly

2B41000

trusted library allocation

page read and write

67E6000

trusted library allocation

page read and write

6800000

trusted library allocation

page execute and read and write

935000

heap

page read and write

CE2000

heap

page read and write

FA0000

trusted library allocation

page read and write

5880000

heap

page read and write

62D0000

heap

page read and write

EC0000

heap

page read and write

50B0000

heap

page execute and read and write

51F0000

trusted library section

page read and write

4B7C000

stack

page read and write

1103000

trusted library allocation

page execute and read and write

FB0000

heap

page read and write

7020000

trusted library allocation

page read and write

511E000

stack

page read and write

C20000

heap

page read and write

E47000

trusted library allocation

page execute and read and write

1110000

trusted library allocation

page read and write

5748000

trusted library allocation

page read and write

2DED000

trusted library allocation

page read and write

BAC000

heap

page read and write

4D35000

trusted library allocation

page read and write

5840000

heap

page read and write

51C0000

trusted library allocation

page read and write

ADE000

stack

page read and write

6952000

trusted library allocation

page read and write

B21000

heap

page read and write

E3A000

trusted library allocation

page execute and read and write

112A000

trusted library allocation

page execute and read and write

7510000

heap

page read and write

4CC0000

heap

page read and write

110D000

trusted library allocation

page execute and read and write

7F2E0000

trusted library allocation

page execute and read and write

28C2000

trusted library allocation

page read and write

1150000

heap

page read and write

4FF2000

trusted library allocation

page read and write

1031F000

trusted library allocation

page read and write

286F000

stack

page read and write

E32000

trusted library allocation

page read and write

E23000

trusted library allocation

page read and write

E60000

trusted library allocation

page read and write

6D3E000

heap

page read and write

1137000

trusted library allocation

page execute and read and write

6D30000

heap

page read and write

E4B000

trusted library allocation

page execute and read and write

1122000

trusted library allocation

page read and write

F80000

heap

page read and write

72FE000

stack

page read and write

2BCF000

trusted library allocation

page read and write

515E000

stack

page read and write

9EBE000

stack

page read and write

AE0000

heap

page read and write

E2D000

trusted library allocation

page execute and read and write

1033D000

trusted library allocation

page read and write

8AA000

stack

page read and write

7527000

heap

page read and write

67F0000

trusted library allocation

page execute and read and write

50A0000

heap

page read and write

2B8D000

trusted library allocation

page read and write

E42000

trusted library allocation

page read and write

EFC000

unkown

page read and write

501C000

stack

page read and write

6B40000

trusted library allocation

page read and write

4CC3000

heap

page read and write

4CF1000

trusted library allocation

page read and write

2EC3000

trusted library allocation

page read and write

5D10000

heap

page read and write

4FE6000

trusted library allocation

page read and write

10383000

trusted library allocation

page read and write

51D0000

heap

page read and write

B23000

heap

page read and write

51D5000

heap

page read and write

72BD000

stack

page read and write

51B0000

heap

page read and write

EAE000

stack

page read and write

440000

unkown

page readonly

1032E000

trusted library allocation

page read and write

5BA000

stack

page read and write

F3C000

unkown

page read and write

10360000

trusted library allocation

page read and write

6F30000

trusted library allocation

page read and write

4FC0000

trusted library allocation

page read and write

CB0000

heap

page read and write

EC7000

heap

page read and write

7270000

trusted library allocation

page execute and read and write

4CDB000

trusted library allocation

page read and write

4ED0000

heap

page read and write

EB0000

heap

page read and write

4FD2000

trusted library allocation

page read and write

29F0000

trusted library allocation

page execute and read and write

1135000

trusted library allocation

page execute and read and write

6B50000

heap

page read and write

CD9000

heap

page read and write

4D30000

trusted library allocation

page read and write

CDF000

stack

page read and write

496C000

stack

page read and write

4CD0000

trusted library allocation

page read and write

4EE0000

heap

page execute and read and write

5110000

heap

page read and write

5000000

trusted library allocation

page read and write

E13000

trusted library allocation

page execute and read and write

AEA000

heap

page read and write

10F0000

trusted library allocation

page read and write

6F19000

heap

page read and write

5270000

trusted library allocation

page read and write

B88000

heap

page read and write

6F38000

trusted library allocation

page read and write

7F30000

heap

page read and write

51A4000

heap

page read and write

DDE000

stack

page read and write

51B0000

trusted library allocation

page read and write

9DBE000

stack

page read and write

E8F7000

trusted library allocation

page read and write

2A20000

heap

page execute and read and write

618E000

stack

page read and write

A10000

heap

page read and write

4EC0000

trusted library section

page readonly

10C20000

trusted library allocation

page read and write

6ED0000

trusted library allocation

page read and write

4D60000

trusted library allocation

page read and write

2AC1000

trusted library allocation

page read and write

2B3E000

stack

page read and write

1130000

trusted library allocation

page read and write

6F2E000

stack

page read and write

EBE000

stack

page read and write

6790000

trusted library allocation

page read and write

3BA8000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

10C0000

trusted library allocation

page read and write

4CF6000

trusted library allocation

page read and write

67E0000

trusted library allocation

page read and write

10380000

trusted library allocation

page read and write

62DE000

heap

page read and write

E8FE000

trusted library allocation

page read and write

6D8C000

stack

page read and write

10342000

trusted library allocation

page read and write

2B76000

trusted library allocation

page read and write

4FCE000

trusted library allocation

page read and write

E14000

trusted library allocation

page read and write

4D80000

heap

page read and write

54EC000

stack

page read and write

111D000

trusted library allocation

page execute and read and write

11AFE000

trusted library allocation

page read and write

39FC000

trusted library allocation

page read and write

2A30000

heap

page read and write

2BCC000

trusted library allocation

page read and write

10324000

trusted library allocation

page read and write

4E80000

trusted library allocation

page read and write

2958000

trusted library allocation

page read and write

294E000

stack

page read and write

2750000

trusted library allocation

page execute and read and write

51C8000

trusted library allocation

page read and write

586E000

heap

page read and write

5010000

trusted library allocation

page read and write

1157000

heap

page read and write

5D19000

heap

page read and write

6BB0000

heap

page read and write

10347000

trusted library allocation

page read and write

A90000

heap

page read and write

1104000

trusted library allocation

page read and write

6B70000

trusted library allocation

page execute and read and write

6EDE000

trusted library allocation

page read and write

668E000

stack

page read and write

10E0000

trusted library allocation

page read and write

6930000

trusted library allocation

page read and write

7F550000

trusted library allocation

page execute and read and write

608E000

stack

page read and write

4E70000

trusted library allocation

page read and write

E36000

trusted library allocation

page execute and read and write

10333000

trusted library allocation

page read and write

7B1C000

stack

page read and write

664E000

stack

page read and write

7F20000

heap

page read and write

770E000

stack

page read and write

67DE000

stack

page read and write

56EE000

stack

page read and write

6E8C000

stack

page read and write

6F17000

heap

page read and write

68E0000

trusted library allocation

page read and write

575D000

trusted library allocation

page read and write

600D000

stack

page read and write

654E000

stack

page read and write

4FDE000

trusted library allocation

page read and write

528000

unkown

page readonly

4D10000

trusted library allocation

page read and write

2678000

trusted library allocation

page read and write

4FCB000

trusted library allocation

page read and write

4CFD000

trusted library allocation

page read and write

3B41000

trusted library allocation

page read and write

71E0000

trusted library section

page read and write

9E5000

heap

page read and write

9FFF000

stack

page read and write

4E72000

trusted library allocation

page read and write

5F0C000

stack

page read and write

920000

heap

page read and write

6B60000

heap

page read and write

11AF9000

trusted library allocation

page read and write

4CB0000

trusted library allocation

page read and write

E8F9000

trusted library allocation

page read and write

3871000

trusted library allocation

page read and write

E1D000

trusted library allocation

page execute and read and write

4DC0000

trusted library allocation

page execute and read and write

F7B000

stack

page read and write

AEE000

heap

page read and write

701D000

stack

page read and write

9E0000

heap

page read and write

6797000

trusted library allocation

page read and write

10356000

trusted library allocation

page read and write

5200000

trusted library allocation

page execute and read and write

4C7E000

stack

page read and write

51A0000

heap

page read and write

274C000

stack

page read and write

51A0000

heap

page read and write

5740000

trusted library allocation

page read and write

84FE000

trusted library allocation

page read and write

4D02000

trusted library allocation

page read and write

2871000

trusted library allocation

page read and write

D55000

heap

page read and write

506C000

stack

page read and write

E10000

trusted library allocation

page read and write

5004000

trusted library allocation

page read and write

4E77000

trusted library allocation

page read and write

6352000

heap

page read and write

10329000

trusted library allocation

page read and write

4FE1000

trusted library allocation

page read and write

1036A000

trusted library allocation

page read and write

930000

heap

page read and write

6EE0000

trusted library allocation

page read and write

68F0000

trusted library allocation

page read and write

2A00000

trusted library allocation

page read and write

1034C000

trusted library allocation

page read and write

1120000

trusted library allocation

page read and write

2760000

heap

page execute and read and write

10365000

trusted library allocation

page read and write

689E000

stack

page read and write

6F10000

heap

page read and write

There are 288 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
hesaphareketi-.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthesaphareketi-.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
hesaphareketi-.exe