Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

project plan.exe

PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	4.2802833721596025
Filename:	project plan.exe
Filesize:	2939959
MD5:	ec263cafbd93faeb218574586bf8e45f
SHA1:	2d37614bb075a8580fc5fe7851dedbc88911944c
SHA256:	7c801923836d6b568d00a338b6bcf41889a7a9150c41a4274c21e50d9eb86f33
SHA512:	cd2f79fcd7cb5a7dc405f7cfd21c47d6ae6557f3a8967b9ba8b466a2e55425d79586b4cb153f69fe8488cc1bd4037e76dafcab29e122b90b3a9a859fbf4601ee
SSDEEP:	12288:6ZeDWntewRLkHfkWWAH0tbERlDqKtsR6g:hDeewxUgtQ3qKtsRn
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...(..f.........."...0.Z~............... ....@...... ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary	Security Software Discovery
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API Security Software Discovery
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if the current process is being debugged	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Detected potential crypto function	System Summary	Security Software Discovery
Enables debug privileges	Anti Debugging
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains long base64-encoded strings	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_project plan.exe_feb5e1bf740ebfcc66821499cd5ec33f8925b97_c0f593ef_8deeed97-6c03-4b0a-a0b8-fcfe0b574727\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_project plan.exe_feb5e1bf740ebfcc66821499cd5ec33f8925b97_c0f593ef_8deeed97-6c03-4b0a-a0b8-fcfe0b574727\Report.wer
Category:	dropped
Dump:	Report.wer.7.dr
ID:	dr_0
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.0365186031279516
Encrypted:	false
Ssdeep:	384:Fs82o+GuizUnUFaGmCFzuiFTY4lO8ybY:682VIUnUFaOzuiFTY4lO8
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE5D.tmp.dmp

Mini DuMP crash report, 16 streams, Wed Jul 3 07:27:59 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE5D.tmp.dmp
Category:	dropped
Dump:	WERDE5D.tmp.dmp.7.dr
ID:	dr_2
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Wed Jul 3 07:27:59 2024, 0x1205a4 type
Entropy:	3.372526431202278
Encrypted:	false
Ssdeep:	3072:lBHM9MYL24TVJ9cSaFFVDovuzkFhEdh0U1CCqqB6Z3+vj12O84P:lBHMaPuVXaqvuzhD3qm6Z3Q3
Size:	425157
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFA7.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFA7.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERDFA7.tmp.WERInternalMetadata.xml.7.dr
ID:	dr_3
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.711282976935528
Encrypted:	false
Ssdeep:	192:R6l7wVeJuPLyy46YEIcCP+Kgmfzn48prI89b6vFcfUTU/m:R6lXJuL346YEDCPtgmfzn4s6vOfUw+
Size:	8812
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE005.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE005.tmp.xml
Category:	dropped
Dump:	WERE005.tmp.xml.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.503460048051616
Encrypted:	false
Ssdeep:	96:uIjfnI7Ql7VqfJQlfmsiDx1JWiS03iS7d:uIzYQl7cIfmzHZS0ySp
Size:	4773
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.7.dr
ID:	dr_1
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.421998644376424
Encrypted:	false
Ssdeep:	6144:1Svfpi6ceLP/9skLmb0OTXWSPHaJG8nAgeMZMMhA2fX4WABlEnNK0uhiTw:8vloTXW+EZMM6DFyM03w
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\project plan.exe

"C:\Users\user\Desktop\project plan.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1536
Target ID:	0
Parent PID:	1028
Name:	project plan.exe
Path:	C:\Users\user\Desktop\project plan.exe
Commandline:	"C:\Users\user\Desktop\project plan.exe"
Size:	2939959
MD5:	EC263CAFBD93FAEB218574586BF8E45F
Time:	03:27:56
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x16754a40000
Modulesize:	49152
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6132
Target ID:	3
Parent PID:	1536
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	03:27:57
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x8e0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Capture Wi-Fi password	Stealing of Sensitive Information
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5836
Target ID:	4
Parent PID:	1536
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	03:27:57
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Capture Wi-Fi password	Stealing of Sensitive Information
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Details

Is windows:	true
Is dropped:	false
PID:	3580
Target ID:	9
Parent PID:	6132
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	"netsh" wlan show profile
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	03:28:04
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1080000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Capture Wi-Fi password	Stealing of Sensitive Information
Tries to harvest and steal WLAN passwords	Stealing of Sensitive Information
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1568
Target ID:	1
Parent PID:	1536
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:27:56
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1536 -s 1028

Details

Is windows:	true
Is dropped:	false
PID:	4956
Target ID:	7
Parent PID:	1536
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1536 -s 1028
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	03:27:58
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6ea340000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3504
Target ID:	10
Parent PID:	3580
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:28:04
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.telegram.org

unknown

https://api.telegram.org/bot

unknown

https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361285164&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake

149.154.167.220

http://upx.sf.net

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

132.226.247.73

http://checkip.dyndns.com

unknown

http://api.telegram.org

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

132.226.247.73

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

132.226.247.73

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

ProgramId

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

FileId

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

LowerCaseLongPath

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

LongPathHash

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

Name

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

OriginalFileName

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

Publisher

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

Version

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

BinFileVersion

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

BinaryType

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

ProductName

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

ProductVersion

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

LinkDate

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

BinProductVersion

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

AppxPackageFullName

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

AppxPackageRelativeId

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

Size

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

Language

\REGISTRY\A\{de4f35b7-9f0d-60b5-d749-67475de06956}\Root\InventoryApplicationFile\project plan.exe|9b1014a02602cdb

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

FileDirectory

There are 24 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2D35000

trusted library allocation

page read and write

2E30000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

167566CC000

trusted library allocation

page read and write

2C71000

trusted library allocation

page read and write

2E0A000

trusted library allocation

page read and write

1676696F000

trusted library allocation

page read and write

50D1000

trusted library allocation

page read and write

1676EFF0000

trusted library section

page read and write

16766698000

trusted library allocation

page read and write

1FE000

unkown

page read and write

2E1D000

trusted library allocation

page read and write

6F5000

heap

page read and write

51BD000

stack

page read and write

16754BB0000

heap

page read and write

6F0000

heap

page read and write

2DAE000

trusted library allocation

page read and write

16754BF0000

heap

page read and write

3D07000

trusted library allocation

page read and write

61BE000

stack

page read and write

7FF848E08000

trusted library allocation

page read and write

2E65000

trusted library allocation

page read and write

2DC2000

trusted library allocation

page read and write

7FF848EB0000

trusted library allocation

page execute and read and write

2B60000

heap

page execute and read and write

3CFB000

trusted library allocation

page read and write

45B0000

heap

page read and write

7FF848FA0000

trusted library allocation

page read and write

16754AD0000

heap

page read and write

6CF000

unkown

page read and write

16754CE6000

heap

page read and write

7FF848EA0000

trusted library allocation

page read and write

50D6000

trusted library allocation

page read and write

63A9FD000

stack

page read and write

F0D000

trusted library allocation

page execute and read and write

7FF848E00000

trusted library allocation

page read and write

2DCC000

trusted library allocation

page read and write

7FF848DF0000

trusted library allocation

page read and write

14B000

stack

page read and write

603E000

stack

page read and write

16756691000

trusted library allocation

page read and write

4FF000

stack

page read and write

16754D40000

trusted library allocation

page read and write

6045000

heap

page read and write

F70000

trusted library allocation

page read and write

7FF848FD0000

trusted library allocation

page read and write

3C99000

trusted library allocation

page read and write

7FF848F10000

trusted library allocation

page execute and read and write

F00000

trusted library allocation

page read and write

7FF848E14000

trusted library allocation

page read and write

50BE000

trusted library allocation

page read and write

4AEF000

stack

page read and write

7FF848DF2000

trusted library allocation

page read and write

6040000

heap

page read and write

62E7000

trusted library allocation

page read and write

6160000

trusted library allocation

page execute and read and write

F3B000

trusted library allocation

page execute and read and write

85F000

heap

page read and write

1676F2C0000

heap

page read and write

50E2000

trusted library allocation

page read and write

DE0000

heap

page read and write

63ABFE000

stack

page read and write

AF0000

heap

page read and write

62E0000

trusted library allocation

page read and write

55BE000

stack

page read and write

85F000

heap

page read and write

6048000

heap

page read and write

5780000

trusted library allocation

page read and write

1000000

heap

page read and write

578B000

trusted library allocation

page read and write

16754C66000

heap

page read and write

7FF848DF3000

trusted library allocation

page execute and read and write

7FF848FC0000

trusted library allocation

page read and write

16754D60000

trusted library allocation

page read and write

50CE000

trusted library allocation

page read and write

F1D000

trusted library allocation

page execute and read and write

EF0000

trusted library allocation

page read and write

16766E85000

trusted library allocation

page read and write

16754C33000

heap

page read and write

6700000

heap

page read and write

4ED000

stack

page read and write

16754BD0000

heap

page read and write

3C71000

trusted library allocation

page read and write

F04000

trusted library allocation

page read and write

50F0000

trusted library allocation

page read and write

F8B000

heap

page read and write

F22000

trusted library allocation

page read and write

56BE000

stack

page read and write

7FF848FE2000

trusted library allocation

page read and write

A90000

heap

page read and write

4D6D000

stack

page read and write

F03000

trusted library allocation

page execute and read and write

DE5000

heap

page read and write

16755070000

heap

page read and write

2E57000

trusted library allocation

page read and write

F35000

trusted library allocation

page execute and read and write

56FE000

stack

page read and write

63A4F3000

stack

page read and write

2E2A000

trusted library allocation

page read and write

7FF848F90000

trusted library allocation

page read and write

51C0000

heap

page execute and read and write

E90000

heap

page read and write

62F0000

trusted library allocation

page read and write

63AAFE000

stack

page read and write

2AA0000

heap

page read and write

7FF848E1D000

trusted library allocation

page execute and read and write

63A7FF000

stack

page read and write

F80000

heap

page read and write

16754E85000

heap

page read and write

50B0000

trusted library allocation

page read and write

CF7000

stack

page read and write

73E000

stack

page read and write

50B6000

trusted library allocation

page read and write

16754A40000

unkown

page readonly

1009000

heap

page read and write

DD0000

heap

page read and write

740000

heap

page read and write

63ADFE000

stack

page read and write

7FF848EAC000

trusted library allocation

page execute and read and write

841000

heap

page read and write

841000

heap

page read and write

9F0000

heap

page read and write

F2A000

trusted library allocation

page execute and read and write

50CA000

trusted library allocation

page read and write

16754C62000

heap

page read and write

577E000

stack

page read and write

841000

heap

page read and write

FC1000

heap

page read and write

7FF848DFD000

trusted library allocation

page execute and read and write

7FF848E02000

trusted library allocation

page read and write

7FF848FAC000

trusted library allocation

page read and write

5E3E000

stack

page read and write

16766B43000

trusted library allocation

page read and write

167569E0000

trusted library allocation

page read and write

7FF848E4C000

trusted library allocation

page execute and read and write

EC0000

heap

page read and write

578D000

trusted library allocation

page read and write

16754D70000

trusted library allocation

page read and write

16754E80000

heap

page read and write

400000

remote allocation

page execute and read and write

2D20000

trusted library allocation

page read and write

2DD0000

trusted library allocation

page read and write

AF6000

heap

page read and write

62BF000

stack

page read and write

7FF849000000

trusted library allocation

page read and write

98A000

stack

page read and write

1075000

heap

page read and write

50DD000

trusted library allocation

page read and write

1676F2BD000

trusted library section

page read and write

F37000

trusted library allocation

page execute and read and write

16754DB0000

heap

page read and write

1676EFE0000

heap

page execute and read and write

2A9D000

stack

page read and write

16766691000

trusted library allocation

page read and write

2D15000

trusted library allocation

page read and write

16754CF0000

heap

page read and write

7FF4BA030000

trusted library allocation

page execute and read and write

3CF1000

trusted library allocation

page read and write

50BB000

trusted library allocation

page read and write

2D32000

trusted library allocation

page read and write

16754E20000

heap

page execute and read and write

63A6FE000

stack

page read and write

FB4000

heap

page read and write

F32000

trusted library allocation

page read and write

6D0000

heap

page read and write

6520000

trusted library allocation

page read and write

6152000

trusted library allocation

page read and write

F60000

trusted library allocation

page execute and read and write

6140000

trusted library allocation

page execute and read and write

167666A1000

trusted library allocation

page read and write

422000

remote allocation

page execute and read and write

2E04000

trusted library allocation

page read and write

51D3000

heap

page read and write

1676E6C0000

trusted library allocation

page read and write

6510000

heap

page read and write

2A5E000

stack

page read and write

810000

heap

page read and write

3CD6000

trusted library allocation

page read and write

7FF848DF4000

trusted library allocation

page read and write

2E23000

trusted library allocation

page read and write

7FF848E0D000

trusted library allocation

page execute and read and write

F20000

trusted library allocation

page read and write

82A000

heap

page read and write

7FF848ED6000

trusted library allocation

page execute and read and write

2D29000

trusted library allocation

page read and write

6310000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

F50000

trusted library allocation

page read and write

2D18000

trusted library allocation

page read and write

7FF848FB0000

trusted library allocation

page read and write

85F000

heap

page read and write

834000

heap

page read and write

7FF848FF0000

trusted library allocation

page execute and read and write

16754A42000

unkown

page readonly

63A8FE000

stack

page read and write

7FF848E1B000

trusted library allocation

page execute and read and write

63A5FE000

stack

page read and write

2E76000

trusted library allocation

page read and write

16754C30000

heap

page read and write

7FF848EA6000

trusted library allocation

page read and write

16754BFC000

heap

page read and write

1676669D000

trusted library allocation

page read and write

16754C1C000

heap

page read and write

820000

heap

page read and write

2D1D000

trusted library allocation

page read and write

7FF848F96000

trusted library allocation

page read and write

2DD5000

trusted library allocation

page read and write

F26000

trusted library allocation

page execute and read and write

7FF848E10000

trusted library allocation

page read and write

A1E000

stack

page read and write

103B000

heap

page read and write

EB0000

heap

page read and write

51D0000

heap

page read and write

167566B2000

trusted library allocation

page read and write

7FF848FA6000

trusted library allocation

page read and write

2D26000

trusted library allocation

page read and write

2C6E000

stack

page read and write

63ACFE000

stack

page read and write

2E72000

trusted library allocation

page read and write

5110000

trusted library allocation

page read and write

2DB9000

trusted library allocation

page read and write

2DB2000

trusted library allocation

page read and write

16755075000

heap

page read and write

517D000

stack

page read and write

104E000

stack

page read and write

1B0000

heap

page read and write

6300000

trusted library allocation

page execute and read and write

1676EE60000

trusted library section

page read and write

F10000

trusted library allocation

page read and write

5280000

heap

page read and write

16754C35000

heap

page read and write

2B50000

trusted library allocation

page read and write

16754D73000

trusted library allocation

page read and write

831000

heap

page read and write

4F5000

stack

page read and write

There are 225 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
project plan.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportproject plan.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
project plan.exe