Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

zkB0qfWSJk.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	5.592579048212426
Filename:	zkB0qfWSJk.exe
Filesize:	1318932
MD5:	7e3694a4d525aecb407e7dfee160afee
SHA1:	9e515221e99af422d0e7c76b3b90e9a259f67562
SHA256:	2facfa5bb80933431ce452627dd71c6c9b5711799dea72732e1617622ec45c54
SHA512:	1eb559e7d6cdb090fd16bb36aee866b156341ca95955313a73e1187cf7fbfbd7f5aea2d0c2a6b67394e94218899b79d977dddcdf1dcf587c45b6cf9a1388a7eb
SSDEEP:	12288:o+WbFkpXD7n1FDoPNUCobwMtFTUhqxDd1XKm:o+4i3nnDAUCobwQ3h1R
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Y............"...0.D:............... ....@...... ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_zkB0qfWSJk.exe_4e21ab8a6c52a8fdeb5761423d21df82a93865_bf7f78a4_6293aa2d-2707-4d52-988e-67550924207e\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_zkB0qfWSJk.exe_4e21ab8a6c52a8fdeb5761423d21df82a93865_bf7f78a4_6293aa2d-2707-4d52-988e-67550924207e\Report.wer
Category:	dropped
Dump:	Report.wer.13.dr
ID:	dr_1
Target ID:	13
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.989209146359892
Encrypted:	false
Ssdeep:	192:3Z6flW6/Ajd3n0UnUtaWh8U/NzuiFKZ24lO8SKe:p6fv/AR30UnUtau80zuiFKY4lO8O
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F66.tmp.dmp

Mini DuMP crash report, 16 streams, Mon Jul 1 12:48:09 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F66.tmp.dmp
Category:	dropped
Dump:	WER9F66.tmp.dmp.13.dr
ID:	dr_3
Target ID:	13
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Mon Jul 1 12:48:09 2024, 0x1205a4 type
Entropy:	3.296744421830435
Encrypted:	false
Ssdeep:	3072:fviUMwo0n2mS1CCqg3+vt2bN46qMLLZm8cSBw1/X6XZ4Xy4abZ:3ir0Oqg3QtOFzwoyab
Size:	384323
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA12C.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA12C.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERA12C.tmp.WERInternalMetadata.xml.13.dr
ID:	dr_4
Target ID:	13
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.709451939023042
Encrypted:	false
Ssdeep:	192:R6l7wVeJPJNQo6YNRApvJzgmfsqrpr289bGSOfyCm:R6lXJhNQo6YrSvNgmfsqZGDf+
Size:	8606
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA18B.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA18B.tmp.xml
Category:	dropped
Dump:	WERA18B.tmp.xml.13.dr
ID:	dr_5
Target ID:	13
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.526060859681194
Encrypted:	false
Ssdeep:	48:cvIwWl8zs5Jg771I9DirVWpW8VYrPYm8M4Ji70ESAFayq85x0yL8uXuhY5hDFd:uIjfLI7UiI7VOSJi70Ho0jOuhY5hDFd
Size:	4761
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regsvcs.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regsvcs.exe.log
Category:	dropped
Dump:	regsvcs.exe.log.9.dr
ID:	dr_0
Target ID:	9
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.353332853270839
Encrypted:	false
Ssdeep:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
Size:	1039
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.13.dr
ID:	dr_2
Target ID:	13
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.417043387547886
Encrypted:	false
Ssdeep:	6144:rcifpi6ceLPL9skLmb0mgSWSPtaJG8nAgex285i2MMhA20X4WABlGuNa5+:Qi58gSWIZBk2MM6AFBIo
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\zkB0qfWSJk.exe

"C:\Users\user\Desktop\zkB0qfWSJk.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7220
Target ID:	7
Parent PID:	4056
Name:	zkB0qfWSJk.exe
Path:	C:\Users\user\Desktop\zkB0qfWSJk.exe
Commandline:	"C:\Users\user\Desktop\zkB0qfWSJk.exe"
Size:	1318932
MD5:	7E3694A4D525AECB407E7DFEE160AFEE
Time:	08:48:07
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1ae67800000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7376
Target ID:	9
Parent PID:	7220
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	08:48:08
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc60000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7388
Target ID:	10
Parent PID:	7220
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	08:48:08
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7220 -s 980

Details

Is windows:	true
Is dropped:	false
PID:	7492
Target ID:	13
Parent PID:	7220
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7220 -s 980
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	08:48:09
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76f550000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7788
Target ID:	17
Parent PID:	7376
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	08:48:18
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x410000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7800
Target ID:	18
Parent PID:	7788
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:48:18
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Details

Is windows:	true
Is dropped:	false
PID:	7844
Target ID:	19
Parent PID:	7788
Name:	choice.exe
Path:	C:\Windows\SysWOW64\choice.exe
Commandline:	choice /C Y /N /D Y /T 3
Size:	28160
MD5:	FCE0E41C87DC4ABBE976998AD26C27E4
Time:	08:48:18
Date:	01/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x9c0000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://upx.sf.net

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

193.122.130.0

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.97.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.97.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.97.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.130.0

IPs

Domain

Country

Malicious

188.114.97.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.97.3
TargetID:	9
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.130.0

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regsvcs_RASMANCS

FileDirectory

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

ProgramId

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

FileId

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

LowerCaseLongPath

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

LongPathHash

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

Name

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

OriginalFileName

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

Publisher

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

Version

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

BinFileVersion

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

BinaryType

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

ProductName

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

ProductVersion

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

LinkDate

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

BinProductVersion

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

AppxPackageFullName

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

AppxPackageRelativeId

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

Size

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

Language

\REGISTRY\A\{a0dc2c05-2eb6-6103-3a43-d0f66c2ef3d5}\Root\InventoryApplicationFile\zkb0qfwsjk.exe|7424ffec55d7c58

Usn

There are 23 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2ED1000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

1AE1014B000

trusted library allocation

page read and write

1AE0003B000

trusted library allocation

page read and write

3094000

trusted library allocation

page read and write

11E0000

heap

page read and write

32AC000

stack

page read and write

2DCE000

stack

page read and write

1356000

trusted library allocation

page execute and read and write

400000

remote allocation

page execute and read and write

2D10000

trusted library allocation

page read and write

3310000

heap

page read and write

2D1B000

trusted library allocation

page execute and read and write

1360000

heap

page read and write

643E000

stack

page read and write

4E0DF33000

stack

page read and write

2FDB000

trusted library allocation

page read and write

5414000

trusted library allocation

page read and write

7FFAAC77E000

trusted library allocation

page read and write

3ED1000

trusted library allocation

page read and write

1AE67B00000

trusted library allocation

page read and write

5426000

trusted library allocation

page read and write

1AE67B20000

trusted library allocation

page read and write

1AE69530000

trusted library section

page read and write

5470000

trusted library allocation

page read and write

7FFAAC759000

trusted library allocation

page read and write

156E000

stack

page read and write

4E0E6FD000

stack

page read and write

7FFAAC7A0000

trusted library allocation

page read and write

7FFAAC5FC000

trusted library allocation

page execute and read and write

555D000

stack

page read and write

3368000

heap

page read and write

2CA0000

heap

page read and write

146F000

stack

page read and write

3360000

heap

page read and write

1AE10001000

trusted library allocation

page read and write

2D80000

heap

page read and write

5404000

trusted library allocation

page read and write

11E5000

heap

page read and write

2FB4000

trusted library allocation

page read and write

1AE6799D000

heap

page read and write

683E000

stack

page read and write

3065000

trusted library allocation

page read and write

65BB000

heap

page read and write

687E000

stack

page read and write

7FFAAC5A2000

trusted library allocation

page read and write

7FFB16790000

unkown

page readonly

7FFAAC686000

trusted library allocation

page execute and read and write

1AE678A0000

heap

page read and write

69BE000

stack

page read and write

1333000

trusted library allocation

page execute and read and write

57DE000

stack

page read and write

1AE67970000

heap

page read and write

6586000

heap

page read and write

66BE000

stack

page read and write

3085000

trusted library allocation

page read and write

326C000

stack

page read and write

575E000

stack

page read and write

1AE69600000

heap

page execute and read and write

7FFAAC5AD000

trusted library allocation

page execute and read and write

361E000

stack

page read and write

3058000

trusted library allocation

page read and write

1AE69E10000

heap

page read and write

1AE678C0000

heap

page read and write

1AE67890000

heap

page read and write

298E000

stack

page read and write

1068000

heap

page read and write

2F82000

trusted library allocation

page read and write

2F7C000

trusted library allocation

page read and write

304A000

trusted library allocation

page read and write

1AE67C50000

heap

page read and write

2F89000

trusted library allocation

page read and write

2D17000

trusted library allocation

page execute and read and write

294E000

unkown

page read and write

2F9C000

trusted library allocation

page read and write

1340000

trusted library allocation

page read and write

1AE00001000

trusted library allocation

page read and write

1334000

trusted library allocation

page read and write

4FAC000

stack

page read and write

2B9F000

unkown

page read and write

623F000

stack

page read and write

29A0000

heap

page read and write

7FFAAC750000

trusted library allocation

page read and write

349F000

stack

page read and write

7FFAAC5CD000

trusted library allocation

page execute and read and write

1AE67E30000

heap

page read and write

6D8E000

stack

page read and write

3EF9000

trusted library allocation

page read and write

7FFAAC660000

trusted library allocation

page execute and read and write

1AE6795B000

heap

page read and write

1330000

trusted library allocation

page read and write

7FFAAC5BD000

trusted library allocation

page execute and read and write

2D40000

heap

page read and write

1AE67973000

heap

page read and write

1300000

heap

page read and write

1320000

trusted library allocation

page read and write

11B0000

heap

page read and write

7FF48B890000

trusted library allocation

page execute and read and write

335E000

stack

page read and write

7FFB167B5000

unkown

page readonly

7FFAAC5A4000

trusted library allocation

page read and write

302B000

trusted library allocation

page read and write

4E0E7FE000

stack

page read and write

7FFAAC5C0000

trusted library allocation

page read and write

DF7000

stack

page read and write

50AC000

stack

page read and write

2990000

heap

page read and write

1AE678E0000

heap

page read and write

1AE67802000

unkown

page readonly

5440000

trusted library allocation

page read and write

3081000

trusted library allocation

page read and write

108A000

heap

page read and write

6540000

heap

page read and write

CFB000

stack

page read and write

3017000

trusted library allocation

page read and write

301F000

trusted library allocation

page read and write

301B000

trusted library allocation

page read and write

1AE69640000

trusted library allocation

page read and write

2D30000

trusted library allocation

page read and write

1AE00352000

trusted library allocation

page read and write

2830000

heap

page read and write

7FFAAC650000

trusted library allocation

page read and write

1AE67C65000

heap

page read and write

4E0E2FF000

stack

page read and write

1307000

heap

page read and write

11AE000

stack

page read and write

540E000

trusted library allocation

page read and write

667E000

stack

page read and write

4E0E8FE000

stack

page read and write

5A3E000

stack

page read and write

7FFAAC656000

trusted library allocation

page read and write

66FE000

stack

page read and write

4E0E4FF000

stack

page read and write

7FFAAC780000

trusted library allocation

page read and write

29C4000

heap

page read and write

2FD3000

trusted library allocation

page read and write

2D12000

trusted library allocation

page read and write

7FFAAC770000

trusted library allocation

page read and write

7FFAAC790000

trusted library allocation

page execute and read and write

35DE000

stack

page read and write

2F9A000

trusted library allocation

page read and write

5620000

heap

page read and write

3023000

trusted library allocation

page read and write

3013000

trusted library allocation

page read and write

1AE67930000

heap

page read and write

2F90000

trusted library allocation

page read and write

579E000

stack

page read and write

7FFAAC5A3000

trusted library allocation

page execute and read and write

4E0E3FF000

stack

page read and write

1AE000E3000

trusted library allocation

page read and write

1AE67C60000

heap

page read and write

7FFAAC5B0000

trusted library allocation

page read and write

2F8D000

trusted library allocation

page read and write

1AE6793C000

heap

page read and write

24CD000

stack

page read and write

657F000

heap

page read and write

7FFAAC5CB000

trusted library allocation

page execute and read and write

57F0000

heap

page execute and read and write

135A000

trusted library allocation

page execute and read and write

67FF000

stack

page read and write

4E0E5FF000

stack

page read and write

6577000

heap

page read and write

7FFAAC5B2000

trusted library allocation

page read and write

1AE67C40000

trusted library allocation

page read and write

5A7E000

stack

page read and write

7FFAAC754000

trusted library allocation

page read and write

4E0EAFE000

stack

page read and write

7FFAAC6C0000

trusted library allocation

page execute and read and write

6C40000

heap

page read and write

6C3C000

stack

page read and write

5435000

trusted library allocation

page read and write

7FFAAC65C000

trusted library allocation

page execute and read and write

7FFB16791000

unkown

page execute read

29C5000

heap

page read and write

3690000

heap

page read and write

613E000

stack

page read and write

1AE10007000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

30A8000

trusted library allocation

page read and write

1AE67800000

unkown

page readonly

5429000

trusted library allocation

page read and write

653E000

stack

page read and write

302F000

trusted library allocation

page read and write

54D0000

heap

page read and write

7FFB167B2000

unkown

page readonly

2820000

heap

page read and write

29AC000

heap

page read and write

551E000

stack

page read and write

7FFAAC5C4000

trusted library allocation

page read and write

1AE00020000

trusted library allocation

page read and write

7FFB167A6000

unkown

page readonly

2DA0000

heap

page read and write

1AE67E35000

heap

page read and write

1AE679A4000

heap

page read and write

7FFB167B0000

unkown

page read and write

7FFAAC740000

trusted library allocation

page read and write

12FE000

stack

page read and write

1AE695F0000

heap

page execute and read and write

1060000

heap

page read and write

2FDF000

trusted library allocation

page read and write

2D70000

trusted library allocation

page execute and read and write

7FFAAC5A0000

trusted library allocation

page read and write

2ECE000

stack

page read and write

6C8E000

stack

page read and write

7FFAAC760000

trusted library allocation

page read and write

1097000

heap

page read and write

1350000

trusted library allocation

page read and write

114E000

heap

page read and write

2FC9000

trusted library allocation

page read and write

25CD000

stack

page read and write

2FD7000

trusted library allocation

page read and write

2F84000

trusted library allocation

page read and write

54C0000

trusted library allocation

page read and write

3ED7000

trusted library allocation

page read and write

34A0000

heap

page read and write

6B3C000

stack

page read and write

4E0E9FE000

stack

page read and write

133D000

trusted library allocation

page execute and read and write

1110000

heap

page read and write

5446000

trusted library allocation

page read and write

53F0000

trusted library allocation

page read and write

1AE67C43000

trusted library allocation

page read and write

3027000

trusted library allocation

page read and write

633F000

stack

page read and write

68BE000

stack

page read and write

1352000

trusted library allocation

page read and write

2D60000

heap

page execute and read and write

2C9F000

stack

page read and write

34C0000

heap

page read and write

1160000

heap

page read and write

There are 220 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
zkB0qfWSJk.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportzkB0qfWSJk.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
zkB0qfWSJk.exe