Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

vm-uw.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.48742080673987
Filename:	vm-uw.exe
Filesize:	580475
MD5:	78c6129bfd81f88cfb7171caf2d386a1
SHA1:	f626224572dea0bc2983e3b3986bd1c1af5533ce
SHA256:	aa1ad7c508d497292d1e017b946cc381be204bd641543bcf584da286eb6f685f
SHA512:	38d0f61a25f015ad149765ced45ab81591ec02f9fe290c1560db9f53f9b7e6edc371eaebbcc54156006e63fe323b976bf560b9db69328f5ffe0fd9b734a9717b
SSDEEP:	12288:LQM9bROJmafSPZDz7qElw2KxPo0q7qzC9b/uEvtHKYTsviIR8Cufe9ZqQwExr//R:Ld9Mrf7iaNVxowGT/M
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........:.>T[.mT[.mT[.m...mY[.m...m.[.m...mN[.mT[.mV[.m.2.lW[.m.3.lF[.m.3.lL[.m.3.lz[.m.2.lU[.m]#\|mP[.m]#lmE[.mT[.m.[.m.2.l.[.m.2.mU[.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Potentially malicious time measurement code found	Anti Debugging
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates files inside the system directory	System Summary
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality for error logging	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Drops files with a known system name (to hide its detection)
Executes batch files	System Summary	Scripting
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\Fonts\systkm32\csrss.exe

PE32 executable (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Windows\Fonts\systkm32\csrss.exe
Category:	dropped
Dump:	csrss.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\vm-uw.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	5.536012760236597
Encrypted:	false
Ssdeep:	384:tD7x2ARjcLagJm8lGJ3BY+SpzV5hdfjWNwG:5hRjyppV+8dYwG
Size:	18432
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Sigma detected: Execution from Suspicious Folder	System Summary
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Contains functionality to delete services	System Summary	Windows Service Service Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: Suspicious Process Start Locations	System Summary
Contains functionality to create services	System Summary	Windows Service
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\Fonts\systkm32\vv.bat

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Windows\Fonts\systkm32\vv.bat
Category:	dropped
Dump:	vv.bat.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\vm-uw.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3887292706534735
Encrypted:	false
Ssdeep:	24:e8J5DnVZ6c3Y02M6bZAcalIAI72M6MRMJMAI72M6oB2M6oQGQEOI72M6oh1EAI0f:t5D+co0c1AP8cMRe8cMcYO8cI1EAZ0Tg
Size:	1152
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Execution from Suspicious Folder	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Sigma detected: Suspicious Process Start Locations	System Summary
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\HZ~F6EC.tmp.bat

ASCII text, with no line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\HZ~F6EC.tmp.bat
Category:	modified
Dump:	HZ~F6EC.tmp.bat.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\vm-uw.exe
Type:	ASCII text, with no line terminators
Entropy:	4.717649701325578
Encrypted:	false
Ssdeep:	3:CxK6OWR2N2+WTKCXBALW9VCSLVLx695ON2+WTKC8m:CxBR2N2RGo3CSLpA9IN2RG7m
Size:	132
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\Fonts\systkm32\1.ini

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Windows\Fonts\systkm32\1.ini
Category:	dropped
Dump:	1.ini.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Windows\SysWOW64\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.978458988199209
Encrypted:	false
Ssdeep:	3:aCdgLCgT/K/TvvKXO2EF+F4cn:mLC6/KbKXO2E8n
Size:	74
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading
Writes ini files	System Summary	File and Directory Discovery

C:\Windows\Fonts\systkm32\svchost.exe

PE32 executable (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Windows\Fonts\systkm32\svchost.exe
Category:	dropped
Dump:	svchost.exe.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\vm-uw.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	5.259110186515502
Encrypted:	false
Ssdeep:	96:8ldfxd/yKaP64DMI1XT3kaiyMlH38ZldnXFADkYLyAFdfcdTbGu00C:mSP64DMI1DkHMZ36kYLxFdfcdnGu00C
Size:	8192
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Sigma detected: Execution from Suspicious Folder	System Summary
Sigma detected: Suspect Svchost Activity	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: Suspicious Process Start Locations	System Summary
Contains functionality to modify services (start/stop/modify)	System Summary	Windows Service Service Execution
Contains functionality to register a service control handler (likely the sample is a service DLL)	System Summary	Windows Service
Contains functionality to start windows services	Boot Survival	Service Execution
Drops files with a known system name (to hide its detection)
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.9.dr
ID:	dr_5
Target ID:	9
Process:	C:\Windows\Fonts\systkm32\csrss.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.448922834861267
Encrypted:	false
Ssdeep:	3:CmXhmnXjzDZAeKXO2E77Qyd45QnBX9jgDKVgjoH/XS1FmAsoWROn:CmRmnXjP+VXO2E77/64guVJ/XSeAsLRO
Size:	181
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\vm-uw.exe

"C:\Users\user\Desktop\vm-uw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systkm32\vv.bat" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\HZ~F6EC.tmp.bat"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\Fonts\systkm32\csrss.exe

C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v Description /d "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play." /t reg_sz /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v DisplayName /d "Windows Media Player Network Sharing Service." /t reg_sz /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v AppDirectory /d "C:\Windows\Fonts\systkm32" /t reg_sz /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /f

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\Fonts\systkm32\svchost.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\mode.com

mode con: cols=16 lines=2

C:\Windows\SysWOW64\sc.exe

sc start WMPNetworkSxc

C:\Windows\SysWOW64\regini.exe

regini 1.ini

There are 11 hidden processes, click here to show them.

URLs

Name

Malicious

https://haozip.2345.cc/

unknown

IPs

Domain

Country

Malicious

127.0.0.1

unknown

Details

IP:	127.0.0.1
TargetID:	7
Current Path:	C:\Windows\SysWOW64\PING.EXE
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Uses ping.exe to check the status of other devices and networks	Networking	System Network Configuration Discovery Remote System Discovery
Uses ping.exe to sleep	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc

Description

Details

TargetID:	11
Path:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc
Value name:	Description
Value data:	Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play.

Signature Hits	Behavior Group	Mitre Attack
Creates or modifies windows services	Boot Survival	Windows Service
Modifies existing windows services	Boot Survival	Windows Service

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc

DisplayName

Details

TargetID:	12
Path:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc
Value name:	DisplayName
Value data:	Windows Media Player Network Sharing Service.

Signature Hits	Behavior Group	Mitre Attack
Creates or modifies windows services	Boot Survival	Windows Service
Modifies existing windows services	Boot Survival	Windows Service

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc\Parameters

NULL

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc\Parameters

AppDirectory

Memdumps

Base Address

Regiontype

Protect

Malicious

FF9000

heap

page read and write

800000

heap

page read and write

2B1F000

stack

page read and write

279E000

stack

page read and write

2AF0000

heap

page read and write

FDE000

heap

page read and write

E05000

heap

page read and write

24F000

unkown

page readonly

29F0000

heap

page read and write

EEE000

stack

page read and write

294E000

stack

page read and write

2A3C2E55000

heap

page read and write

101C000

heap

page read and write

26EC000

stack

page read and write

249000

unkown

page read and write

230000

unkown

page readonly

F90000

heap

page read and write

C20DFFE000

unkown

page readonly

DEC000

stack

page read and write

FDE000

heap

page read and write

C20E6FE000

stack

page read and write

4A0F000

stack

page read and write

2A20000

heap

page read and write

2B4E000

stack

page read and write

2B9F000

stack

page read and write

2A3C2E40000

heap

page read and write

32E0000

heap

page read and write

3890000

heap

page read and write

1DF000

stack

page read and write

4C50000

trusted library allocation

page read and write

3210000

heap

page read and write

101C000

heap

page read and write

2A00000

heap

page read and write

400000

unkown

page readonly

401000

unkown

page execute read

1000000

unkown

page readonly

24F000

unkown

page readonly

2D0000

heap

page read and write

11AE000

stack

page read and write

2BD0000

heap

page read and write

19E000

stack

page read and write

2B5E000

stack

page read and write

34BE000

stack

page read and write

9C000

stack

page read and write

2A32000

heap

page read and write

22D000

stack

page read and write

2FA7000

heap

page read and write

19D000

stack

page read and write

59E000

stack

page read and write

490E000

stack

page read and write

2A3C2E00000

heap

page read and write

1003000

heap

page read and write

290000

heap

page read and write

1E1000

unkown

page execute read

600000

heap

page read and write

2BD7000

heap

page read and write

120000

heap

page read and write

612000

heap

page read and write

401000

unkown

page execute read

2A80000

direct allocation

page read and write

9B0000

heap

page read and write

DAF000

stack

page read and write

26B0000

heap

page read and write

FCF000

heap

page read and write

2790000

heap

page read and write

4B4C000

stack

page read and write

11C5000

heap

page read and write

2A3C2E02000

heap

page read and write

29A0000

heap

page read and write

C20E2FE000

stack

page read and write

2680000

heap

page read and write

1000000

unkown

page readonly

80B000

heap

page read and write

2A40000

heap

page read and write

263D000

stack

page read and write

FF5000

heap

page read and write

33A0000

heap

page read and write

2897000

heap

page read and write

2A3C3000000

heap

page read and write

2A3C2DE0000

heap

page read and write

1059000

heap

page read and write

23CD000

stack

page read and write

2DE000

stack

page read and write

2670000

heap

page read and write

CFA000

stack

page read and write

1E0000

heap

page read and write

1E0000

unkown

page readonly

4C4D000

stack

page read and write

35F0000

heap

page read and write

11CB000

heap

page read and write

FEB000

heap

page read and write

308E000

stack

page read and write

344F000

stack

page read and write

26D0000

heap

page read and write

402000

heap

page read and write

400000

unkown

page readonly

2BC0000

heap

page read and write

409000

unkown

page readonly

27DD000

stack

page read and write

812000

heap

page read and write

CFF000

stack

page read and write

1003000

heap

page read and write

407000

unkown

page read and write

24C000

unkown

page read and write

2908000

heap

page read and write

29F0000

heap

page read and write

2FA4000

heap

page read and write

240000

heap

page read and write

FB8000

heap

page read and write

C20E4FC000

stack

page read and write

FDA000

heap

page read and write

B00000

direct allocation

page read and write

1007000

heap

page read and write

246000

unkown

page write copy

271E000

stack

page read and write

540000

heap

page read and write

FD7000

heap

page read and write

23BF000

stack

page read and write

1003000

heap

page read and write

1031000

heap

page read and write

FE6000

heap

page read and write

11C0000

heap

page read and write

DD0000

heap

page read and write

11B0000

heap

page read and write

348E000

stack

page read and write

C20E7FE000

unkown

page readonly

DD000

stack

page read and write

54D000

stack

page read and write

237F000

stack

page read and write

33FE000

stack

page read and write

2750000

heap

page read and write

35F8000

heap

page read and write

1E0000

unkown

page readonly

300D000

stack

page read and write

FB0000

heap

page read and write

34CF000

stack

page read and write

2F9D000

stack

page read and write

58D000

stack

page read and write

FDA000

heap

page read and write

901000

heap

page read and write

4B0F000

stack

page read and write

25FD000

stack

page read and write

2D50000

heap

page read and write

2A3C30E0000

heap

page read and write

FE6000

heap

page read and write

2A3C2F02000

heap

page read and write

1003000

heap

page read and write

2720000

heap

page read and write

F4E000

stack

page read and write

2648000

heap

page read and write

26AC000

stack

page read and write

246000

unkown

page read and write

2890000

heap

page read and write

FDE000

heap

page read and write

C20E1FE000

unkown

page readonly

327D000

stack

page read and write

353E000

stack

page read and write

237E000

stack

page read and write

C20E0FE000

stack

page read and write

2A3C3602000

trusted library allocation

page read and write

2640000

heap

page read and write

28CE000

stack

page read and write

27E0000

heap

page read and write

2A3C2E13000

heap

page read and write

1C0000

heap

page read and write

1003000

heap

page read and write

FF9000

heap

page read and write

C20E5FE000

unkown

page readonly

945000

stack

page read and write

2760000

heap

page read and write

AFF000

stack

page read and write

81C000

heap

page read and write

28E000

stack

page read and write

2798000

heap

page read and write

2A3C2E24000

heap

page read and write

9D000

stack

page read and write

150000

heap

page read and write

C20E3FE000

unkown

page readonly

2D60000

heap

page read and write

3200000

heap

page read and write

602000

heap

page read and write

2A24000

heap

page read and write

E00000

heap

page read and write

23BE000

stack

page read and write

29EE000

stack

page read and write

19D000

stack

page read and write

34FE000

stack

page read and write

1003000

heap

page read and write

1DD000

stack

page read and write

3230000

heap

page read and write

290E000

stack

page read and write

2B0E000

stack

page read and write

3238000

heap

page read and write

1ED000

stack

page read and write

1001000

unkown

page execute read

621000

heap

page read and write

D6E000

stack

page read and write

3400000

heap

page read and write

323D000

stack

page read and write

407000

unkown

page write copy

2A3C2E3E000

heap

page read and write

1001000

unkown

page execute read

298F000

stack

page read and write

420000

heap

page read and write

230000

unkown

page readonly

275F000

stack

page read and write

101C000

heap

page read and write

100000

heap

page read and write

29F0000

direct allocation

page read and write

2A3C3570000

trusted library allocation

page read and write

283D000

stack

page read and write

36B0000

heap

page read and write

2900000

heap

page read and write

53E000

stack

page read and write

304E000

stack

page read and write

34D0000

heap

page read and write

1004000

heap

page read and write

2790000

heap

page read and write

247000

unkown

page write copy

2F5D000

stack

page read and write

FEB000

heap

page read and write

701000

heap

page read and write

23F0000

heap

page read and write

FEB000

heap

page read and write

550000

direct allocation

page read and write

FE9000

heap

page read and write

23FF000

stack

page read and write

336E000

stack

page read and write

FF9000

heap

page read and write

9FD000

stack

page read and write

FDA000

heap

page read and write

F0E000

stack

page read and write

1E1000

unkown

page execute read

2B50000

heap

page read and write

FD4000

heap

page read and write

409000

unkown

page readonly

1F0000

heap

page read and write

2D67000

heap

page read and write

C20D95B000

stack

page read and write

27A0000

heap

page read and write

5F0000

heap

page read and write

2B90000

heap

page read and write

2CF000

stack

page read and write

C20DEFD000

stack

page read and write

There are 234 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
vm-uw.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportvm-uw.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
vm-uw.exe