Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

MT Marine Tiger.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	4.827227650151569
Filename:	MT Marine Tiger.exe
Filesize:	1960608
MD5:	2dcf1e9b4ca5afa19d7473f108aea256
SHA1:	d2f554d2699fcddf1c2d65cc05739916aa0dae62
SHA256:	a1aa961c8b1eb8e3627dceee8081d62544d84987b623b84addd7b92a35089c7d
SHA512:	be82afc240c397e66742a019af1fe6464100eda77bb5b4bfb6e92856ae51b866554e51b500786902d79737ed1a4e2e02b845b034ec9d2abfd3ff6d9526587cde
SSDEEP:	12288:7EC0huBtyjOQyaZyk3x2PulNQ5EcxhyBIpNOlV3d:AC4u/2x72PV5LxhclV3d
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0.b4............... ....@...... ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary	Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Process Injection Timestomp Security Software Discovery
Checks if the current process is being debugged	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data
One or more processes crash	System Summary
PE file does not import any functions	System Summary	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary	Process Injection
.NET source code contains calls to encryption/decryption functions	System Summary	Process Injection Disable or Modify Tools Deobfuscate/Decode Files or Information
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Process Injection Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Process Injection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary	Process Injection

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MT Marine Tiger._b1fc61aa0f0ff659922dc1f816562af76c8bcc3_d4dd14a2_f9207a17-8494-4b79-9815-4bb98abb0750\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MT Marine Tiger._b1fc61aa0f0ff659922dc1f816562af76c8bcc3_d4dd14a2_f9207a17-8494-4b79-9815-4bb98abb0750\Report.wer
Category:	dropped
Dump:	Report.wer.7.dr
ID:	dr_5
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9967661337684316
Encrypted:	false
Ssdeep:	96:UGFtO36WxsF/SboNy/qXQXIDcQqc6jcEOcw3WP+BHUHZ0ownOgFkEwH3d2FYAKch:bHOlxeO0UnUdaWx9fOzuiFAZ24lO8l
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DB1.tmp.dmp

Mini DuMP crash report, 16 streams, Sun Jun 30 15:19:54 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DB1.tmp.dmp
Category:	dropped
Dump:	WER8DB1.tmp.dmp.7.dr
ID:	dr_2
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Sun Jun 30 15:19:54 2024, 0x1205a4 type
Entropy:	3.2896623789888664
Encrypted:	false
Ssdeep:	3072:mJQ+jkwS/Kbh1CCqM3+vRoPaNR9y4lmOlkBJyvWcSEqo+G2ZmkOPerFY:mJQ+IaqM3Q5R9y5OluJy2EV+G2Zmkg
Size:	385511
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EEB.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EEB.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER8EEB.tmp.WERInternalMetadata.xml.7.dr
ID:	dr_3
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7103134634870583
Encrypted:	false
Ssdeep:	192:R6l7wVeJ3SUCGe6Y2DIgygmflrL0prZ89bmFzLkfiim:R6lXJCB6YlgygmfxL3mxLkfu
Size:	8822
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F3A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F3A.tmp.xml
Category:	dropped
Dump:	WER8F3A.tmp.xml.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.503022925890394
Encrypted:	false
Ssdeep:	48:cvIwWl8zs0Jg771I9wTWpW8VYBYm8M4J1DFBXyq852BzJd6Zled:uIjfyI73i7VVJRX5z/6Zwd
Size:	4792
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regasm.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regasm.exe.log
Category:	dropped
Dump:	regasm.exe.log.3.dr
ID:	dr_0
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.353332853270839
Encrypted:	false
Ssdeep:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
Size:	1039
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.7.dr
ID:	dr_1
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.469012097065088
Encrypted:	false
Ssdeep:	6144:BzZfpi6ceLPx9skLmb0f7ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNYjDH5SC:ZZHt7ZWOKnMM6bFpej4
Size:	1835008
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\MT Marine Tiger.exe

"C:\Users\user\Desktop\MT Marine Tiger.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1968
Target ID:	0
Parent PID:	4004
Name:	MT Marine Tiger.exe
Path:	C:\Users\user\Desktop\MT Marine Tiger.exe
Commandline:	"C:\Users\user\Desktop\MT Marine Tiger.exe"
Size:	1960608
MD5:	2DCF1E9B4CA5AFA19D7473F108AEA256
Time:	11:19:52
Date:	30/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x20d0dde0000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6428
Target ID:	3
Parent PID:	1968
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	11:19:53
Date:	30/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe50000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4328
Target ID:	4
Parent PID:	1968
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	11:19:54
Date:	30/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5716
Target ID:	2
Parent PID:	1968
Name:	InstallUtil.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Size:	42064
MD5:	5D4073B2EB6D217C19F2B22F21BF8D57
Time:	11:19:53
Date:	30/06/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1968 -s 1044

Details

Is windows:	true
Is dropped:	false
PID:	5900
Target ID:	7
Parent PID:	1968
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1968 -s 1044
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	11:19:54
Date:	30/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff758140000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6468
Target ID:	12
Parent PID:	6428
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	11:21:14
Date:	30/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6424
Target ID:	13
Parent PID:	6468
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	11:21:14
Date:	30/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Details

Is windows:	true
Is dropped:	false
PID:	5960
Target ID:	14
Parent PID:	6468
Name:	choice.exe
Path:	C:\Windows\SysWOW64\choice.exe
Commandline:	choice /C Y /N /D Y /T 3
Size:	28160
MD5:	FCE0E41C87DC4ABBE976998AD26C27E4
Time:	11:21:14
Date:	30/06/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x160000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://upx.sf.net

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

193.122.6.168

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.97.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.97.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.97.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.6.168

IPs

Domain

Country

Malicious

188.114.97.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.97.3
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

FileDirectory

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

ProgramId

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

FileId

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

LowerCaseLongPath

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

LongPathHash

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

Name

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

OriginalFileName

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

Publisher

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

Version

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

BinFileVersion

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

BinaryType

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

ProductName

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

ProductVersion

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

LinkDate

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

BinProductVersion

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

AppxPackageFullName

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

AppxPackageRelativeId

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

Size

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

Language

\REGISTRY\A\{402dac20-87bc-72d5-0f64-5abc90269c4e}\Root\InventoryApplicationFile\mt marine tiger.|c67994ed4091bb00

Usn

There are 23 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

30A1000

trusted library allocation

page read and write

20D0FBB7000

trusted library allocation

page read and write

20D1FD68000

trusted library allocation

page read and write

20D0FEBB000

trusted library allocation

page read and write

660F000

stack

page read and write

7FFD34876000

trusted library allocation

page execute and read and write

2B90000

heap

page read and write

15F2000

trusted library allocation

page read and write

6FED000

stack

page read and write

7FFD3479D000

trusted library allocation

page execute and read and write

20D0FB9C000

trusted library allocation

page read and write

326A000

trusted library allocation

page read and write

20D0E113000

trusted library allocation

page read and write

FF7000

stack

page read and write

13F0000

trusted library allocation

page read and write

3263000

trusted library allocation

page read and write

7FFD34790000

trusted library allocation

page read and write

15E6000

trusted library allocation

page execute and read and write

7FFD34840000

trusted library allocation

page read and write

1400000

heap

page read and write

712E000

stack

page read and write

3080000

trusted library allocation

page read and write

20D27BB0000

trusted library allocation

page read and write

7FFD34794000

trusted library allocation

page read and write

2BA0000

heap

page read and write

20D28310000

heap

page read and write

4E8ECFF000

stack

page read and write

1390000

heap

page read and write

24A0000

heap

page read and write

20D0DE70000

heap

page read and write

5660000

trusted library allocation

page read and write

31A5000

trusted library allocation

page read and write

277E000

stack

page read and write

27E0000

heap

page read and write

20D1FB81000

trusted library allocation

page read and write

3247000

trusted library allocation

page read and write

21C0000

heap

page read and write

2804000

heap

page read and write

664E000

stack

page read and write

698E000

stack

page read and write

13C0000

heap

page read and write

7FFD34944000

trusted library allocation

page read and write

4E8F2FE000

stack

page read and write

5649000

trusted library allocation

page read and write

2EB0000

heap

page read and write

20D0E1D0000

heap

page execute and read and write

20D0E080000

heap

page read and write

2ADF000

stack

page read and write

50DC000

stack

page read and write

15E0000

trusted library allocation

page read and write

1405000

heap

page read and write

3148000

trusted library allocation

page read and write

40C9000

trusted library allocation

page read and write

2E00000

heap

page read and write

57D0000

heap

page read and write

1600000

heap

page read and write

1692000

heap

page read and write

20D0DEB0000

heap

page read and write

6B4E000

stack

page read and write

1397000

heap

page read and write

20D0DDE0000

unkown

page readonly

1370000

heap

page read and write

20D0DEF2000

heap

page read and write

4E8EDFF000

stack

page read and write

7FFD347B4000

trusted library allocation

page read and write

317E000

trusted library allocation

page read and write

64CE000

stack

page read and write

10C000

stack

page read and write

6C0E000

stack

page read and write

7FFD34970000

trusted library allocation

page read and write

5B7D000

stack

page read and write

15EA000

trusted library allocation

page execute and read and write

56EE000

stack

page read and write

16F2000

heap

page read and write

650D000

stack

page read and write

1260000

heap

page read and write

7FFD347AD000

trusted library allocation

page execute and read and write

400000

remote allocation

page execute and read and write

5646000

trusted library allocation

page read and write

31E6000

trusted library allocation

page read and write

21D0000

heap

page read and write

4E8F3FD000

stack

page read and write

20D0FB81000

trusted library allocation

page read and write

5C7F000

stack

page read and write

31A1000

trusted library allocation

page read and write

31E2000

trusted library allocation

page read and write

7FFD34846000

trusted library allocation

page read and write

3190000

trusted library allocation

page read and write

20D0E0E0000

trusted library allocation

page read and write

13D0000

trusted library allocation

page read and write

EFB000

stack

page read and write

2610000

heap

page read and write

5641000

trusted library allocation

page read and write

20D0DF23000

heap

page read and write

319D000

trusted library allocation

page read and write

2803000

heap

page read and write

20D0DE80000

heap

page read and write

160B000

heap

page read and write

2E6E000

stack

page read and write

6EEC000

stack

page read and write

20D0FB70000

heap

page read and write

2EAE000

stack

page read and write

2D4E000

unkown

page read and write

7FFD34792000

trusted library allocation

page read and write

29DF000

unkown

page read and write

69CE000

stack

page read and write

22AD000

stack

page read and write

7FFD34949000

trusted library allocation

page read and write

59F0000

heap

page execute and read and write

15FB000

trusted library allocation

page execute and read and write

702D000

stack

page read and write

3160000

trusted library allocation

page read and write

5624000

trusted library allocation

page read and write

20D0DDE2000

unkown

page readonly

6EAF000

stack

page read and write

4E8EFFB000

stack

page read and write

20D28359000

heap

page read and write

4E8EEFE000

stack

page read and write

2FBE000

stack

page read and write

15F0000

trusted library allocation

page read and write

20D0E250000

heap

page read and write

27EC000

heap

page read and write

20D0E165000

heap

page read and write

3211000

trusted library allocation

page read and write

4E8F0FE000

stack

page read and write

7FFD34980000

trusted library allocation

page execute and read and write

13ED000

trusted library allocation

page execute and read and write

20D0DF1A000

heap

page read and write

15A0000

trusted library allocation

page read and write

2780000

heap

page read and write

26F0000

heap

page read and write

3256000

trusted library allocation

page read and write

31EA000

trusted library allocation

page read and write

674E000

stack

page read and write

5680000

trusted library allocation

page read and write

14C000

stack

page read and write

24EE000

stack

page read and write

688E000

stack

page read and write

3070000

trusted library allocation

page read and write

7FF4F2D70000

trusted library allocation

page execute and read and write

6D0F000

stack

page read and write

31EE000

trusted library allocation

page read and write

20D0DEBC000

heap

page read and write

2558000

heap

page read and write

7FFD34960000

trusted library allocation

page read and write

3162000

trusted library allocation

page read and write

7FFD348B0000

trusted library allocation

page execute and read and write

3086000

trusted library allocation

page read and write

7FFD347A2000

trusted library allocation

page read and write

67A6000

heap

page read and write

4E8EAF3000

stack

page read and write

20D0DF1C000

heap

page read and write

243E000

stack

page read and write

13E0000

trusted library allocation

page read and write

317B000

trusted library allocation

page read and write

20D0E255000

heap

page read and write

20D28240000

trusted library section

page read and write

7FFD34930000

trusted library allocation

page read and write

247F000

stack

page read and write

1645000

heap

page read and write

5655000

trusted library allocation

page read and write

273E000

unkown

page read and write

31DE000

trusted library allocation

page read and write

7FFD34940000

trusted library allocation

page read and write

40A7000

trusted library allocation

page read and write

3090000

heap

page execute and read and write

3060000

trusted library allocation

page execute and read and write

20D1FB87000

trusted library allocation

page read and write

13E4000

trusted library allocation

page read and write

23AC000

stack

page read and write

7FFD34850000

trusted library allocation

page execute and read and write

15F7000

trusted library allocation

page execute and read and write

20D1FF3C000

trusted library allocation

page read and write

3199000

trusted library allocation

page read and write

63CE000

stack

page read and write

7FFD3497D000

trusted library allocation

page read and write

7FFD347BB000

trusted library allocation

page execute and read and write

3150000

trusted library allocation

page read and write

40A1000

trusted library allocation

page read and write

7FFD34990000

trusted library allocation

page read and write

6750000

heap

page read and write

20D0E0A0000

heap

page read and write

5720000

heap

page read and write

7FFD3484C000

trusted library allocation

page execute and read and write

20D0E100000

trusted library allocation

page read and write

2550000

heap

page read and write

7FFD347B0000

trusted library allocation

page read and write

6A0E000

stack

page read and write

20D0DEEF000

heap

page read and write

7FFD34793000

trusted library allocation

page execute and read and write

7FFD347EC000

trusted library allocation

page execute and read and write

6BCF000

stack

page read and write

5634000

trusted library allocation

page read and write

252F000

stack

page read and write

5CBD000

stack

page read and write

20D0E110000

trusted library allocation

page read and write

7FFD34950000

trusted library allocation

page read and write

20D0DEDA000

heap

page read and write

4E8F1FE000

stack

page read and write

13E3000

trusted library allocation

page execute and read and write

7FFD347BD000

trusted library allocation

page execute and read and write

20D0E160000

heap

page read and write

15E2000

trusted library allocation

page read and write

562E000

trusted library allocation

page read and write

314D000

trusted library allocation

page read and write

638E000

stack

page read and write

4E8EBFF000

stack

page read and write

1639000

heap

page read and write

31F6000

trusted library allocation

page read and write

1340000

heap

page read and write

67A8000

heap

page read and write

7FFD347A0000

trusted library allocation

page read and write

3243000

trusted library allocation

page read and write

20D28300000

heap

page execute and read and write

2E20000

trusted library allocation

page read and write

2740000

heap

page read and write

52DE000

stack

page read and write

6B8E000

stack

page read and write

3203000

trusted library allocation

page read and write

59CE000

stack

page read and write

31F2000

trusted library allocation

page read and write

51DC000

stack

page read and write

20D0DF8B000

heap

page read and write

6A4E000

stack

page read and write

There are 215 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
MT Marine Tiger.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMT Marine Tiger.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
MT Marine Tiger.exe