Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

xFk6x2mrd7.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.166616929707346
Filename:	xFk6x2mrd7.exe
Filesize:	364032
MD5:	18fd0471029adc5a608cc7c442a97f3a
SHA1:	74854bda1aa3e60c3b6f58e8f77882ac7f958486
SHA256:	1e92e176dd94bb165b9ac9a391ed84ad473ae69a44139d2f9765dd56974cee0d
SHA512:	9cc462178cf8b63b27de90998c3a8cc722cec0bbde604e66482510c3888a78b1e869b4d3e7195c3361bb7fce43392c204c5b760948afd3bbddd6ee225bb61e00
SSDEEP:	6144:MM/FgKFH4ZtKyKtHFrO/ODMruf29AYlxJzZfPkcdeyO9U/PRdygA/g3/FGXIqNPo:MI/FutKyQli/3rtT5zPdeyO9U/PRdygE
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%K}f.................D...F...........`... ....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection	Windows Management Instrumentation Security Software Discovery
Detected unpacking (changes PE section rights)	Data Obfuscation
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Process Injection
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Process Injection Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary may include packed or encrypted code	Data Obfuscation	Process Injection
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Process Injection Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xFk6x2mrd7.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xFk6x2mrd7.exe.log
Category:	dropped
Dump:	xFk6x2mrd7.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\xFk6x2mrd7.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.0050635535766075
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUy:Q3La/xwQ
Size:	42
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\d3d9.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\d3d9.dll
Category:	dropped
Dump:	d3d9.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\xFk6x2mrd7.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.884262476306309
Encrypted:	false
Ssdeep:	6144:tfbuDSGUgh8uvy6fyMIHBsxu5wmS3UE9OgiPProBNmu:tgUgtv+Bsxu5o3NIgiPEXx
Size:	429568
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
Category:	dropped
Dump:	MSBuild.exe.log.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.33145931749415
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
Size:	3094
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\xFk6x2mrd7.exe

"C:\Users\user\Desktop\xFk6x2mrd7.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6576
Target ID:	0
Parent PID:	2580
Name:	xFk6x2mrd7.exe
Path:	C:\Users\user\Desktop\xFk6x2mrd7.exe
Commandline:	"C:\Users\user\Desktop\xFk6x2mrd7.exe"
Size:	364032
MD5:	18FD0471029ADC5A608CC7C442A97F3A
Time:	21:11:53
Date:	30/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xde0000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6812
Target ID:	2
Parent PID:	6576
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	21:11:53
Date:	30/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x90000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6596
Target ID:	1
Parent PID:	6576
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	21:11:53
Date:	30/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

94.228.166.68:80

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

https://www.ecosia.org/newtab/

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust

unknown

https://duckduckgo.com/chrome_newtabS

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback

unknown

http://tempuri.org/Entity/Id3ResponseD

unknown

http://tempuri.org/Entity/Id23Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

api.ip.sb

unknown

IPs

Domain

Country

Malicious

94.228.166.68

unknown

Russian Federation

Details

IP:	94.228.166.68
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	48467
ASN name:	PRANET-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

6CC1E000

unkown

page read and write

192000

remote allocation

page execute and read and write

2501000

trusted library allocation

page read and write

49A0000

trusted library allocation

page read and write

1D4000

remote allocation

page execute and read and write

28E9000

trusted library allocation

page read and write

5627000

heap

page read and write

2A25000

trusted library allocation

page read and write

4950000

trusted library allocation

page read and write

2A68000

trusted library allocation

page read and write

350F000

trusted library allocation

page read and write

5970000

trusted library allocation

page read and write

7AB0000

trusted library allocation

page execute and read and write

560000

heap

page read and write

1424000

trusted library allocation

page read and write

6C0000

heap

page read and write

31D7000

trusted library allocation

page read and write

8717000

heap

page read and write

4A50000

trusted library allocation

page read and write

4990000

heap

page read and write

7C4E000

stack

page read and write

8C4B000

stack

page read and write

8AFE000

stack

page read and write

4D4E000

stack

page read and write

31C1000

trusted library allocation

page read and write

1438000

heap

page read and write

1570000

trusted library allocation

page read and write

2B21000

trusted library allocation

page read and write

878B000

heap

page read and write

4C3E000

stack

page read and write

35F6000

trusted library allocation

page read and write

2935000

trusted library allocation

page read and write

890A000

trusted library allocation

page read and write

5BF0000

trusted library allocation

page execute and read and write

2A8B000

trusted library allocation

page read and write

49C3000

heap

page read and write

87B1000

heap

page read and write

62C000

heap

page read and write

640000

heap

page read and write

49C5000

trusted library allocation

page read and write

5B30000

trusted library allocation

page read and write

2B08000

trusted library allocation

page read and write

15C0000

trusted library allocation

page execute and read and write

4A58000

trusted library allocation

page read and write

860000

trusted library allocation

page read and write

28F5000

trusted library allocation

page read and write

26C9000

trusted library allocation

page read and write

4A55000

trusted library allocation

page read and write

827000

trusted library allocation

page execute and read and write

87F8000

heap

page read and write

6CC01000

unkown

page execute read

23D1000

trusted library allocation

page read and write

810000

trusted library allocation

page read and write

26D3000

trusted library allocation

page read and write

55B7000

heap

page read and write

4A30000

trusted library allocation

page read and write

88F9000

trusted library allocation

page read and write

582E000

stack

page read and write

81A000

trusted library allocation

page execute and read and write

6E0000

heap

page read and write

2A66000

trusted library allocation

page read and write

5C00000

trusted library allocation

page read and write

4D8E000

stack

page read and write

2A0F000

trusted library allocation

page read and write

261D000

trusted library allocation

page read and write

23B4000

trusted library allocation

page read and write

269D000

trusted library allocation

page read and write

A8AB000

heap

page read and write

8935000

trusted library allocation

page read and write

7A8E000

stack

page read and write

5C30000

trusted library allocation

page read and write

2696000

trusted library allocation

page read and write

15D0000

trusted library allocation

page read and write

615000

heap

page read and write

6052000

trusted library allocation

page read and write

28E1000

trusted library allocation

page read and write

4DB0000

heap

page read and write

26D6000

trusted library allocation

page read and write

6AE000

stack

page read and write

89A0000

heap

page read and write

88F0000

trusted library allocation

page read and write

8C50000

trusted library allocation

page execute and read and write

B66000

heap

page read and write

23B0000

trusted library allocation

page read and write

850000

trusted library allocation

page execute and read and write

4F75000

trusted library allocation

page read and write

5530000

heap

page read and write

23F0000

heap

page read and write

DE2000

unkown

page execute and read and write

1530000

trusted library allocation

page read and write

295A000

trusted library allocation

page read and write

23E2000

trusted library allocation

page read and write

612E000

stack

page read and write

871B000

heap

page read and write

AD0000

trusted library allocation

page read and write

87EA000

heap

page read and write

6CC00000

unkown

page readonly

8C00000

trusted library allocation

page read and write

13BE000

stack

page read and write

B6A000

heap

page read and write

7D50000

trusted library section

page read and write

FDB000

stack

page read and write

5BD0000

trusted library allocation

page execute and read and write

26D9000

trusted library allocation

page read and write

603B000

trusted library allocation

page read and write

86FC000

heap

page read and write

A48E000

stack

page read and write

4BA3000

trusted library allocation

page read and write

8E6D000

stack

page read and write

2A72000

trusted library allocation

page read and write

1320000

heap

page read and write

6140000

trusted library allocation

page read and write

7D4E000

stack

page read and write

29C0000

trusted library allocation

page read and write

59B0000

heap

page execute and read and write

87E6000

heap

page read and write

2947000

trusted library allocation

page read and write

4A9A000

trusted library allocation

page read and write

80D000

trusted library allocation

page execute and read and write

5B60000

trusted library allocation

page read and write

3521000

trusted library allocation

page read and write

872E000

heap

page read and write

29D5000

trusted library allocation

page read and write

578000

heap

page read and write

86F0000

heap

page read and write

875D000

heap

page read and write

627000

heap

page read and write

49B0000

trusted library allocation

page execute and read and write

5544000

heap

page read and write

137E000

stack

page read and write

8728000

heap

page read and write

8932000

trusted library allocation

page read and write

1471000

heap

page read and write

2A80000

trusted library allocation

page read and write

2617000

trusted library allocation

page read and write

159000

stack

page read and write

6041000

trusted library allocation

page read and write

ADAE000

stack

page read and write

596C000

stack

page read and write

23CE000

trusted library allocation

page read and write

2310000

trusted library allocation

page read and write

60D000

heap

page read and write

2AA2000

trusted library allocation

page read and write

5869000

stack

page read and write

8B60000

trusted library allocation

page execute and read and write

5B40000

trusted library allocation

page read and write

2A1A000

trusted library allocation

page read and write

8B40000

trusted library allocation

page read and write

364F000

trusted library allocation

page read and write

26FA000

trusted library allocation

page read and write

2318000

trusted library allocation

page read and write

2A33000

trusted library allocation

page read and write

145C000

heap

page read and write

52BE000

stack

page read and write

7AD0000

trusted library allocation

page read and write

5C10000

trusted library allocation

page read and write

5BC0000

trusted library allocation

page read and write

23BB000

trusted library allocation

page read and write

812000

trusted library allocation

page read and write

82B000

trusted library allocation

page execute and read and write

7A4C000

stack

page read and write

2A99000

trusted library allocation

page read and write

822000

trusted library allocation

page read and write

5F2E000

stack

page read and write

2A3B000

trusted library allocation

page read and write

59A0000

trusted library allocation

page execute and read and write

5980000

trusted library allocation

page read and write

35D1000

trusted library allocation

page read and write

5C60000

trusted library allocation

page execute and read and write

2B23000

trusted library allocation

page read and write

2A00000

trusted library allocation

page read and write

8709000

heap

page read and write

870000

trusted library allocation

page read and write

8924000

trusted library allocation

page read and write

8E70000

heap

page read and write

7C0D000

stack

page read and write

41C1000

trusted library allocation

page read and write

98E000

stack

page read and write

8B50000

trusted library allocation

page read and write

31AD000

stack

page read and write

1620000

heap

page read and write

4F7B000

trusted library allocation

page read and write

190000

remote allocation

page execute and read and write

86EC000

stack

page read and write

4EFD000

stack

page read and write

2731000

trusted library allocation

page read and write

891F000

trusted library allocation

page read and write

26C7000

trusted library allocation

page read and write

29AC000

trusted library allocation

page read and write

8930000

trusted library allocation

page read and write

2968000

trusted library allocation

page read and write

24FE000

stack

page read and write

1C0000

remote allocation

page execute and read and write

28DB000

trusted library allocation

page read and write

5A2E000

stack

page read and write

5DED000

stack

page read and write

8A90000

trusted library allocation

page read and write

368D000

trusted library allocation

page read and write

573E000

stack

page read and write

15F0000

trusted library allocation

page read and write

7F3000

trusted library allocation

page execute and read and write

88F5000

trusted library allocation

page read and write

26E1000

trusted library allocation

page read and write

5BB0000

trusted library allocation

page read and write

7E0000

trusted library allocation

page read and write

7B0E000

stack

page read and write

2A0C000

trusted library allocation

page read and write

2941000

trusted library allocation

page read and write

EDC000

stack

page read and write

880000

heap

page read and write

7F0000

trusted library allocation

page read and write

AF5000

trusted library allocation

page read and write

23D6000

trusted library allocation

page read and write

A8A1000

heap

page read and write

2595000

trusted library allocation

page read and write

6E5000

heap

page read and write

8920000

trusted library allocation

page read and write

35DD000

trusted library allocation

page read and write

2A75000

trusted library allocation

page read and write

15E0000

heap

page read and write

28D0000

trusted library allocation

page read and write

7BF0000

trusted library allocation

page read and write

E3C000

unkown

page readonly

29A9000

trusted library allocation

page read and write

6130000

trusted library allocation

page read and write

2A78000

trusted library allocation

page read and write

87A9000

heap

page read and write

2740000

trusted library allocation

page read and write

2621000

trusted library allocation

page read and write

8BFE000

stack

page read and write

294F000

trusted library allocation

page read and write

2AC3000

trusted library allocation

page read and write

5565000

heap

page read and write

816000

trusted library allocation

page execute and read and write

143E000

heap

page read and write

4EBF000

stack

page read and write

3501000

trusted library allocation

page read and write

7AD6000

trusted library allocation

page read and write

1C5000

remote allocation

page execute and read and write

29B4000

trusted library allocation

page read and write

2B92000

trusted library allocation

page read and write

5740000

heap

page execute and read and write

638000

heap

page read and write

AEAE000

stack

page read and write

8796000

heap

page read and write

825000

trusted library allocation

page execute and read and write

4A60000

trusted library allocation

page read and write

6046000

trusted library allocation

page read and write

2B27000

trusted library allocation

page read and write

49A2000

trusted library allocation

page read and write

998E000

stack

page read and write

4DA0000

trusted library allocation

page read and write

1532000

trusted library allocation

page read and write

1465000

heap

page read and write

1410000

trusted library allocation

page read and write

5A9000

heap

page read and write

B00000

heap

page execute and read and write

5EEF000

stack

page read and write

31B0000

heap

page execute and read and write

6CC17000

unkown

page readonly

4F7E000

trusted library allocation

page read and write

5990000

trusted library allocation

page execute and read and write

6149000

trusted library allocation

page read and write

840000

trusted library allocation

page read and write

29A6000

trusted library allocation

page read and write

A8E000

stack

page read and write

25DE000

trusted library allocation

page read and write

5B2E000

stack

page read and write

570000

heap

page read and write

31D3000

trusted library allocation

page read and write

8775000

heap

page read and write

7FD000

trusted library allocation

page execute and read and write

388F000

trusted library allocation

page read and write

1330000

heap

page read and write

8908000

trusted library allocation

page read and write

1534000

trusted library allocation

page read and write

7F4000

trusted library allocation

page read and write

55E000

stack

page read and write

A890000

heap

page read and write

1550000

trusted library allocation

page read and write

35D8000

trusted library allocation

page read and write

1430000

heap

page read and write

2902000

trusted library allocation

page read and write

8E91000

trusted library allocation

page read and write

8990000

heap

page read and write

8736000

heap

page read and write

4C43000

heap

page execute and read and write

4A2D000

stack

page read and write

299B000

trusted library allocation

page read and write

25C9000

trusted library allocation

page read and write

FEEE0000

trusted library allocation

page execute and read and write

873B000

heap

page read and write

4B7B000

trusted library allocation

page read and write

8B70000

trusted library allocation

page execute and read and write

49C0000

heap

page read and write

25D0000

trusted library allocation

page read and write

B4B000

stack

page read and write

29CD000

trusted library allocation

page read and write

DE0000

unkown

page execute and read and write

8EC0000

heap

page read and write

58F000

heap

page read and write

2A02000

trusted library allocation

page read and write

887000

heap

page read and write

361E000

trusted library allocation

page read and write

891A000

trusted library allocation

page read and write

23DD000

trusted library allocation

page read and write

14EE000

heap

page read and write

1335000

heap

page read and write

602E000

stack

page read and write

15BE000

stack

page read and write

389C000

trusted library allocation

page read and write

890F000

trusted library allocation

page read and write

31CB000

trusted library allocation

page read and write

4A5A000

trusted library allocation

page read and write

880F000

heap

page read and write

25E2000

trusted library allocation

page read and write

605E000

trusted library allocation

page read and write

630000

heap

page read and write

2944000

trusted library allocation

page read and write

8F00000

heap

page read and write

AEE000

trusted library allocation

page read and write

8BBE000

stack

page read and write

800000

trusted library allocation

page read and write

290A000

trusted library allocation

page read and write

296F000

trusted library allocation

page read and write

8915000

trusted library allocation

page read and write

1423000

trusted library allocation

page execute and read and write

AF0000

trusted library allocation

page read and write

85EC000

stack

page read and write

5C20000

trusted library allocation

page execute and read and write

563E000

stack

page read and write

8B3F000

stack

page read and write

87BB000

heap

page read and write

1240000

heap

page read and write

7AD3000

trusted library allocation

page read and write

2784000

trusted library allocation

page read and write

4A86000

trusted library allocation

page read and write

35E4000

trusted library allocation

page read and write

4F72000

trusted library allocation

page read and write

45FC000

stack

page read and write

8745000

heap

page read and write

DE0000

unkown

page readonly

877B000

heap

page read and write

2702000

trusted library allocation

page read and write

820000

trusted library allocation

page read and write

5BE0000

trusted library allocation

page execute and read and write

1600000

heap

page read and write

26EC000

trusted library allocation

page read and write

2782000

trusted library allocation

page read and write

14DE000

heap

page read and write

B60000

heap

page read and write

B50000

trusted library allocation

page read and write

27E8000

trusted library allocation

page read and write

38A1000

trusted library allocation

page read and write

182E000

stack

page read and write

5B50000

trusted library allocation

page read and write

2AFC000

trusted library allocation

page read and write

DE2000

unkown

page readonly

30CF000

stack

page read and write

66A000

heap

page read and write

378D000

trusted library allocation

page read and write

28DF000

trusted library allocation

page read and write

55CC000

heap

page read and write

2B59000

trusted library allocation

page read and write

14A1000

heap

page read and write

1557000

trusted library allocation

page execute and read and write

7AC0000

trusted library allocation

page read and write

4F51000

trusted library allocation

page read and write

4F7000

stack

page read and write

13D0000

heap

page read and write

6030000

trusted library allocation

page read and write

88F2000

trusted library allocation

page read and write

510000

heap

page read and write

147D000

heap

page read and write

6CC6A000

unkown

page readonly

14E2000

heap

page read and write

885D000

heap

page read and write

2A12000

trusted library allocation

page read and write

1475000

heap

page read and write

87CD000

heap

page read and write

ACE000

stack

page read and write

5594000

heap

page read and write

4C40000

heap

page execute and read and write

84EE000

stack

page read and write

87FE000

heap

page read and write

2B16000

trusted library allocation

page read and write

155B000

trusted library allocation

page execute and read and write

572E000

stack

page read and write

172F000

stack

page read and write

AE0000

trusted library allocation

page read and write

2764000

trusted library allocation

page read and write

4F60000

heap

page read and write

4F70000

trusted library allocation

page read and write

There are 383 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xFk6x2mrd7.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportxFk6x2mrd7.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
xFk6x2mrd7.exe