Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

GkYUK8VCrO.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.711463104926535
Filename:	GkYUK8VCrO.exe
Filesize:	1623552
MD5:	7d50650cd2ba63482d4caf875ae65a8e
SHA1:	037e5a7f82d5c436f744e5b7475f6264c32e6519
SHA256:	b54b494944a8b5268e3d3190c5a45af28afdada7eb0fc85fece3c22e2d31b3f1
SHA512:	cc245b8725f43a80a80e25ed3b266293592abda1f451cf80b30b42f90cac4b1898200673b2c87b58c0bcb022d4eb1bfa7a4cbc6ab2f46a3f6ec113842c7fcbb7
SSDEEP:	24576:kAHnh+eWsN3skA4RV1Hom2KXMmHa5rS/G23VGNGfi8mBLWUK5:zh+ZkldoPK8Ya5+/x3VGNJZy
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection	Security Software Discovery
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	System Information Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Security Software Discovery Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery Application Window Discovery
Contains functionality to communicate with device drivers	System Summary	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary	Security Software Discovery
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Security Software Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality	Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools Security Software Discovery
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Security Software Discovery
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Security Software Discovery Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion	Disable or Modify Tools Security Software Discovery
Reads software policies	System Summary	Security Software Discovery
Sample is known by Antivirus	System Summary	Disable or Modify Tools Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Temp\aut6482.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut6482.tmp
Category:	dropped
Dump:	aut6482.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
Type:	data
Entropy:	7.977471232917895
Encrypted:	false
Ssdeep:	6144:ehejQs2jX6J601aIsyvmiLubwl6+pcJLc5n/tAhHL/exo/mb//+:ecjn2mkV3yibycFenmr/r+bX+
Size:	266680
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut64C1.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut64C1.tmp
Category:	dropped
Dump:	aut64C1.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
Type:	data
Entropy:	7.599092609745426
Encrypted:	false
Ssdeep:	192:65jwEiqxwzMZTG3c6Vg0X9O1JZUv3QfyYxvoy6LM0nE8j3+UGxLrHJc9kUcN:I6qxwzMZy3QU9Obysvoy8EOvGxXHJ6kX
Size:	9850
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut679E.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut679E.tmp
Category:	dropped
Dump:	aut679E.tmp.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
Type:	data
Entropy:	7.977471232917895
Encrypted:	false
Ssdeep:	6144:ehejQs2jX6J601aIsyvmiLubwl6+pcJLc5n/tAhHL/exo/mb//+:ecjn2mkV3yibycFenmr/r+bX+
Size:	266680
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut67CE.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut67CE.tmp
Category:	dropped
Dump:	aut67CE.tmp.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
Type:	data
Entropy:	7.599092609745426
Encrypted:	false
Ssdeep:	192:65jwEiqxwzMZTG3c6Vg0X9O1JZUv3QfyYxvoy6LM0nE8j3+UGxLrHJc9kUcN:I6qxwzMZy3QU9Obysvoy8EOvGxXHJ6kX
Size:	9850
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\subbase

ASCII text, with very long lines (28756), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\subbase
Category:	dropped
Dump:	subbase.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
Type:	ASCII text, with very long lines (28756), with no line terminators
Entropy:	3.590881180643552
Encrypted:	false
Ssdeep:	768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbp+IC6bd4vfF3if6gyu+:miTZ+2QoioGRk6ZklputwjpjBkCiw2RS
Size:	28756
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\vaccinators

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\vaccinators
Category:	dropped
Dump:	vaccinators.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\GkYUK8VCrO.exe
Type:	data
Entropy:	7.852716166683299
Encrypted:	false
Ssdeep:	6144:sFMKoPN6TByDlIHahZ22Bo+EJOSDbc7a9UUsAU2ZMgJx8w75mwdu3QWQ:SMvcTByDlIHIZ22+Jvc7LUlfZMg3z5mu
Size:	267776
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\GkYUK8VCrO.exe

"C:\Users\user\Desktop\GkYUK8VCrO.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7448
Target ID:	0
Parent PID:	2580
Name:	GkYUK8VCrO.exe
Path:	C:\Users\user\Desktop\GkYUK8VCrO.exe
Commandline:	"C:\Users\user\Desktop\GkYUK8VCrO.exe"
Size:	1623552
MD5:	7D50650CD2BA63482D4CAF875AE65A8E
Time:	14:25:15
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xaa0000
Modulesize:	1646592
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\GkYUK8VCrO.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7464
Target ID:	1
Parent PID:	7448
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\GkYUK8VCrO.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	14:25:15
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x270000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\Desktop\GkYUK8VCrO.exe

"C:\Users\user\Desktop\GkYUK8VCrO.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7472
Target ID:	2
Parent PID:	7448
Name:	GkYUK8VCrO.exe
Path:	C:\Users\user\Desktop\GkYUK8VCrO.exe
Commandline:	"C:\Users\user\Desktop\GkYUK8VCrO.exe"
Size:	1623552
MD5:	7D50650CD2BA63482D4CAF875AE65A8E
Time:	14:25:16
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xaa0000
Modulesize:	1646592
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\GkYUK8VCrO.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7516
Target ID:	3
Parent PID:	7472
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\GkYUK8VCrO.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	14:25:16
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe10000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

https://api.ipify.org/

104.26.12.205

Details

Name:	https://api.ipify.org/
IP:	104.26.12.205
TargetID:	3
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000003.00000002.4151126152.0000000003431000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000003.00000002.4153513364.0000000005870000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152521685.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4153770965.0000000005900000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150816380.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://mail.fasmacopy.gr

unknown

Details

Name:	http://mail.fasmacopy.gr
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000003.00000002.4151126152.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.000000000369F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.00000000038BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.0000000003580000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.000000000373D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.0000000003959000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151126152.00000000037E5000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

mail.fasmacopy.gr

79.170.44.32

Details

Name:	mail.fasmacopy.gr
IP:	79.170.44.32
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.12.205

Details

Name:	api.ipify.org
IP:	104.26.12.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

79.170.44.32

mail.fasmacopy.gr

United Kingdom

Details

IP:	79.170.44.32
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	20773
ASN name:	GODADDYDE
Private:	false
Domain:	mail.fasmacopy.gr

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

104.26.12.205

api.ipify.org

United States

Details

IP:	104.26.12.205
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

5870000

trusted library section

page read and write

44B5000

trusted library allocation

page read and write

347C000

trusted library allocation

page read and write

5900000

trusted library section

page read and write

2FBE000

heap

page read and write

3833000

direct allocation

page read and write

B63000

unkown

page write copy

12F1000

heap

page read and write

37B0000

trusted library allocation

page read and write

13D6000

heap

page read and write

EEE000

heap

page read and write

4557000

trusted library allocation

page read and write

5BBC000

stack

page read and write

39DD000

direct allocation

page read and write

E18000

heap

page read and write

B6C000

unkown

page readonly

3D09000

direct allocation

page read and write

322F000

stack

page read and write

45B7000

trusted library allocation

page read and write

4475000

trusted library allocation

page read and write

46B7000

trusted library allocation

page read and write

9BE000

stack

page read and write

F20000

heap

page read and write

3A29000

direct allocation

page read and write

340D000

stack

page read and write

EEF000

heap

page read and write

3883000

direct allocation

page read and write

B68000

unkown

page readonly

1A60000

direct allocation

page execute and read and write

B68000

unkown

page readonly

445000

system

page execute and read and write

1518000

heap

page read and write

58DE000

trusted library allocation

page read and write

3230000

heap

page read and write

58CB000

trusted library allocation

page read and write

3DA000

stack

page read and write

114E000

heap

page read and write

661C000

stack

page read and write

39D9000

direct allocation

page read and write

6D6D000

stack

page read and write

1A0E000

stack

page read and write

6BBE000

stack

page read and write

9CE000

stack

page read and write

1031000

heap

page read and write

D8E000

stack

page read and write

4737000

trusted library allocation

page read and write

83E0000

heap

page read and write

3893000

trusted library allocation

page read and write

1142000

heap

page read and write

1110000

heap

page read and write

14D4000

trusted library allocation

page read and write

3A2D000

direct allocation

page read and write

150A000

trusted library allocation

page execute and read and write

9CD1000

trusted library allocation

page read and write

6B7E000

stack

page read and write

37D4000

trusted library allocation

page read and write

1350000

heap

page read and write

4757000

trusted library allocation

page read and write

AA1000

unkown

page execute read

4797000

trusted library allocation

page read and write

74D0000

trusted library allocation

page read and write

3713000

trusted library allocation

page read and write

4637000

trusted library allocation

page read and write

2F5C000

stack

page read and write

EEE000

heap

page read and write

11A3000

heap

page read and write

4717000

trusted library allocation

page read and write

3124000

heap

page read and write

15BD000

heap

page read and write

685E000

stack

page read and write

3260000

heap

page read and write

B2F000

unkown

page readonly

74C0000

heap

page read and write

84D0000

heap

page read and write

3B63000

direct allocation

page read and write

1506000

trusted library allocation

page execute and read and write

3903000

trusted library allocation

page read and write

386E000

trusted library allocation

page read and write

BA8000

unkown

page readonly

1480000

trusted library allocation

page read and write

36E9000

trusted library allocation

page read and write

3A4E000

direct allocation

page read and write

4697000

trusted library allocation

page read and write

EA0000

heap

page read and write

F9B000

heap

page read and write

96CC000

stack

page read and write

46D7000

trusted library allocation

page read and write

6A7E000

stack

page read and write

36C0000

direct allocation

page read and write

EB0000

heap

page read and write

1AE0000

heap

page read and write

154D000

heap

page read and write

B55000

unkown

page readonly

3739000

trusted library allocation

page read and write

4657000

trusted library allocation

page read and write

B6C000

unkown

page readonly

3D0D000

direct allocation

page read and write

38B9000

trusted library allocation

page read and write

100F000

stack

page read and write

586E000

stack

page read and write

157A000

heap

page read and write

B5F000

unkown

page write copy

F6B000

heap

page read and write

6D10000

trusted library allocation

page execute and read and write

68F0000

trusted library allocation

page execute and read and write

2F70000

trusted library allocation

page read and write

AA0000

unkown

page readonly

4536000

trusted library allocation

page read and write

11D3000

heap

page read and write

1460000

trusted library allocation

page read and write

B5F000

unkown

page write copy

58F2000

trusted library allocation

page read and write

11D3000

heap

page read and write

BA8000

unkown

page readonly

1118000

heap

page read and write

3A9E000

direct allocation

page read and write

3A29000

direct allocation

page read and write

1355000

heap

page read and write

14A0000

trusted library section

page read and write

FA8000

stack

page read and write

1198000

heap

page read and write

5E60000

trusted library allocation

page read and write

14E0000

trusted library allocation

page read and write

9CAA000

trusted library allocation

page read and write

14DD000

trusted library allocation

page execute and read and write

9CD6000

trusted library allocation

page read and write

1502000

trusted library allocation

page read and write

3431000

trusted library allocation

page read and write

3D7E000

direct allocation

page read and write

3900000

direct allocation

page read and write

851D000

heap

page read and write

3BE0000

direct allocation

page read and write

6E40000

trusted library allocation

page read and write

79E000

stack

page read and write

9DB000

stack

page read and write

ED0000

heap

page read and write

6CF0000

trusted library allocation

page read and write

5CBA000

heap

page read and write

3955000

trusted library allocation

page read and write

34DC000

trusted library allocation

page read and write

3267000

heap

page read and write

85D4000

heap

page read and write

133D000

heap

page read and write

5960000

trusted library allocation

page read and write

11EF000

heap

page read and write

14E3000

trusted library allocation

page read and write

129B000

heap

page read and write

1550000

heap

page read and write

2F90000

heap

page read and write

3D7E000

direct allocation

page read and write

58ED000

trusted library allocation

page read and write

3900000

direct allocation

page read and write

8567000

heap

page read and write

1200000

heap

page read and write

9CBD000

trusted library allocation

page read and write

3A9E000

direct allocation

page read and write

3760000

direct allocation

page read and write

EA1000

heap

page read and write

5990000

heap

page read and write

B6C000

unkown

page readonly

3A2D000

direct allocation

page read and write

14ED000

trusted library allocation

page execute and read and write

ED0000

heap

page read and write

707F000

stack

page read and write

6D20000

trusted library allocation

page read and write

AA1000

unkown

page execute read

E46000

heap

page read and write

858B000

heap

page read and write

3100000

heap

page execute and read and write

38B0000

direct allocation

page read and write

38B0000

direct allocation

page read and write

1490000

heap

page read and write

190E000

stack

page read and write

369F000

trusted library allocation

page read and write

3A9E000

direct allocation

page read and write

3530000

direct allocation

page read and write

3463000

trusted library allocation

page read and write

5980000

heap

page read and write

1500000

trusted library allocation

page read and write

369D000

trusted library allocation

page read and write

1143000

heap

page read and write

11B4000

heap

page read and write

38B7000

trusted library allocation

page read and write

A20000

heap

page read and write

B68000

unkown

page readonly

38BB000

trusted library allocation

page read and write

13C7000

heap

page read and write

B2F000

unkown

page readonly

9FC000

stack

page read and write

4495000

trusted library allocation

page read and write

85A8000

heap

page read and write

98CC000

stack

page read and write

11EE000

heap

page read and write

373B000

trusted library allocation

page read and write

58C0000

trusted library allocation

page read and write

3957000

trusted library allocation

page read and write

3872000

trusted library allocation

page read and write

1A5C000

stack

page read and write

71C0000

trusted library allocation

page read and write

B2F000

unkown

page readonly

1330000

heap

page read and write

3A4E000

direct allocation

page read and write

10C7000

heap

page read and write

5ABC000

stack

page read and write

100D000

heap

page read and write

4597000

trusted library allocation

page read and write

154A000

heap

page read and write

720000

heap

page read and write

3A2D000

direct allocation

page read and write

10BA000

heap

page read and write

EB1000

heap

page read and write

137F000

heap

page read and write

1572000

heap

page read and write

3760000

direct allocation

page read and write

9CB3000

trusted library allocation

page read and write

14D0000

trusted library allocation

page read and write

2F60000

trusted library allocation

page execute and read and write

44F3000

trusted library allocation

page read and write

6D00000

trusted library allocation

page read and write

FFF000

heap

page read and write

3580000

trusted library allocation

page read and write

3833000

direct allocation

page read and write

4431000

trusted library allocation

page read and write

689C000

stack

page read and write

B55000

unkown

page readonly

3B63000

direct allocation

page read and write

9CFE000

trusted library allocation

page read and write

145E000

stack

page read and write

1210000

heap

page read and write

3679000

trusted library allocation

page read and write

3A29000

direct allocation

page read and write

1540000

heap

page read and write

B5F000

unkown

page read and write

2F1E000

stack

page read and write

6AA000

stack

page read and write

3478000

trusted library allocation

page read and write

11D3000

heap

page read and write

AA1000

unkown

page execute read

384A000

trusted library allocation

page read and write

E42000

heap

page read and write

AA1000

unkown

page execute read

BA8000

unkown

page readonly

ED0000

heap

page read and write

7DD000

stack

page read and write

1A94000

heap

page read and write

2EB5000

trusted library allocation

page execute and read and write

AA0000

unkown

page readonly

103C000

stack

page read and write

10DA000

heap

page read and write

39DD000

direct allocation

page read and write

4577000

trusted library allocation

page read and write

4777000

trusted library allocation

page read and write

A8A7000

trusted library allocation

page read and write

14B0000

trusted library section

page read and write

A50000

heap

page read and write

B63000

unkown

page write copy

710000

heap

page read and write

9CEA000

trusted library allocation

page read and write

9CB8000

trusted library allocation

page read and write

1A90000

heap

page read and write

5BE0000

heap

page read and write

A40000

direct allocation

page execute and read and write

346A000

trusted library allocation

page read and write

45F7000

trusted library allocation

page read and write

3240000

trusted library allocation

page read and write

EAA000

stack

page read and write

6CF8000

trusted library allocation

page read and write

6DFE000

stack

page read and write

A40000

heap

page read and write

357E000

trusted library allocation

page read and write

A8AE000

trusted library allocation

page read and write

373D000

trusted library allocation

page read and write

114E000

heap

page read and write

B55000

unkown

page readonly

B6C000

unkown

page readonly

5E5C000

stack

page read and write

58E6000

trusted library allocation

page read and write

3604000

heap

page read and write

3D0D000

direct allocation

page read and write

3A4E000

direct allocation

page read and write

3278000

trusted library allocation

page read and write

160E000

stack

page read and write

3784000

trusted library allocation

page read and write

9CF4000

trusted library allocation

page read and write

115C000

heap

page read and write

750000

heap

page read and write

3600000

heap

page read and write

3710000

direct allocation

page read and write

11A4000

heap

page read and write

9CCC000

trusted library allocation

page read and write

1333000

heap

page read and write

11EE000

heap

page read and write

58E1000

trusted library allocation

page read and write

5C43000

heap

page read and write

D4E000

stack

page read and write

30A0000

heap

page read and write

7FDE0000

trusted library allocation

page execute and read and write

F01000

heap

page read and write

71D0000

trusted library allocation

page read and write

68E0000

heap

page read and write

15A6000

heap

page read and write

12DB000

heap

page read and write

39D9000

direct allocation

page read and write

85A3000

heap

page read and write

3883000

direct allocation

page read and write

7ED0000

trusted library allocation

page read and write

1A9C000

stack

page read and write

364E000

trusted library allocation

page read and write

34DA000

trusted library allocation

page read and write

4455000

trusted library allocation

page read and write

83D0000

heap

page read and write

3250000

trusted library allocation

page read and write

39D9000

direct allocation

page read and write

1586000

heap

page read and write

4677000

trusted library allocation

page read and write

B68000

unkown

page readonly

37D6000

trusted library allocation

page read and write

AA0000

unkown

page readonly

8582000

heap

page read and write

B55000

unkown

page readonly

3870000

trusted library allocation

page read and write

3883000

direct allocation

page read and write

14D3000

trusted library allocation

page execute and read and write

58CE000

trusted library allocation

page read and write

38B0000

direct allocation

page read and write

3A40000

direct allocation

page read and write

3715000

trusted library allocation

page read and write

13C5000

heap

page read and write

EB2000

heap

page read and write

5C22000

heap

page read and write

5D1E000

stack

page read and write

4617000

trusted library allocation

page read and write

11A2000

heap

page read and write

6CBE000

stack

page read and write

A70000

heap

page read and write

A8A9000

trusted library allocation

page read and write

2EB0000

trusted library allocation

page read and write

3710000

direct allocation

page read and write

B2F000

unkown

page readonly

68DA000

heap

page read and write

703E000

stack

page read and write

2ED0000

trusted library allocation

page read and write

45D7000

trusted library allocation

page read and write

5E6D000

trusted library allocation

page read and write

9CC2000

trusted library allocation

page read and write

675D000

stack

page read and write

3D09000

direct allocation

page read and write

9CE5000

trusted library allocation

page read and write

13B8000

heap

page read and write

9CE0000

trusted library allocation

page read and write

3A40000

direct allocation

page read and write

3833000

direct allocation

page read and write

B5F000

unkown

page read and write

3420000

heap

page execute and read and write

1303000

heap

page read and write

101B000

stack

page read and write

E10000

heap

page read and write

8515000

heap

page read and write

2EB7000

trusted library allocation

page execute and read and write

AA0000

unkown

page readonly

7240000

trusted library allocation

page execute and read and write

392F000

trusted library allocation

page read and write

10CA000

heap

page read and write

39A0000

trusted library allocation

page read and write

3526000

trusted library allocation

page read and write

10CA000

heap

page read and write

357C000

trusted library allocation

page read and write

400000

system

page execute and read and write

6D04000

trusted library allocation

page read and write

3553000

trusted library allocation

page read and write

9CF9000

trusted library allocation

page read and write

9CEF000

trusted library allocation

page read and write

3110000

trusted library allocation

page read and write

651C000

stack

page read and write

FFF000

stack

page read and write

3953000

trusted library allocation

page read and write

2EBB000

trusted library allocation

page execute and read and write

46F7000

trusted library allocation

page read and write

9CAE000

trusted library allocation

page read and write

15F1000

heap

page read and write

3959000

trusted library allocation

page read and write

10DA000

heap

page read and write

19DB000

stack

page read and write

E43000

heap

page read and write

BA8000

unkown

page readonly

1A1B000

stack

page read and write

E4B000

heap

page read and write

14F0000

heap

page read and write

39DD000

direct allocation

page read and write

3760000

direct allocation

page read and write

A60000

heap

page read and write

1510000

heap

page read and write

37E5000

trusted library allocation

page read and write

E4B000

heap

page read and write

EC0000

heap

page read and write

E99000

heap

page read and write

85B2000

heap

page read and write

126B000

heap

page read and write

6E50000

trusted library allocation

page execute and read and write

9CDB000

trusted library allocation

page read and write

3710000

direct allocation

page read and write

7200000

heap

page read and write

1D0E000

stack

page read and write

11C3000

heap

page read and write

3BE0000

direct allocation

page read and write

14F7000

heap

page read and write

5E1E000

stack

page read and write

381E000

trusted library allocation

page read and write

58D2000

trusted library allocation

page read and write

30FE000

stack

page read and write

2EB2000

trusted library allocation

page read and write

1146000

heap

page read and write

6E46000

trusted library allocation

page read and write

68D0000

heap

page read and write

5BE4000

heap

page read and write

121F000

heap

page read and write

132E000

stack

page read and write

3900000

direct allocation

page read and write

14C0000

trusted library allocation

page read and write

3120000

heap

page read and write

1A40000

heap

page read and write

392D000

trusted library allocation

page read and write

9CC7000

trusted library allocation

page read and write

There are 413 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
GkYUK8VCrO.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportGkYUK8VCrO.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
GkYUK8VCrO.exe