Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

1hibLFnCm1.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.813048403740222
Filename:	1hibLFnCm1.exe
Filesize:	906240
MD5:	2196edd4ad9d7e8ca345339a66e2fed5
SHA1:	d604a25d04700d19896c1dfe12586568fae5c32f
SHA256:	90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a
SHA512:	73dae769c4f6aff412d7da1241fc2259a28f1be667239a926c304f0e13bf30f1f9e0ec76e09e914afc7ef520ee2656b9cfe7ac5670be78e148571cdeedcf6fef
SSDEEP:	24576:SrSvamteGeyJhlvWr6ZPk9DXlEqSdVnhU2EaPM:LvaQNJhBQXlEPhY
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a.S............Xr......Xr..$...Xr......Xr...............\|.......\|.......\|......J\|......J\|......Rich....................PE..L..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat

DOS batch file, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat
Category:	dropped
Dump:	jClCs9nEU3.bat.3.dr
ID:	dr_5
Target ID:	3
Process:	C:\Users\user\AppData\Roaming\ms_updater.exe
Type:	DOS batch file, ASCII text, with CRLF line terminators
Entropy:	5.058654544935388
Encrypted:	false
Ssdeep:	6:hCijTg3Nou1ShCZG1wknaZ54hKOZG1wkn23fZh:HTg9uyrHgf3
Size:	225
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\ms_updater.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\ms_updater.exe
Category:	dropped
Dump:	ms_updater.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\1hibLFnCm1.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.689710256126498
Encrypted:	false
Ssdeep:	12288:y4Tnk5JYTGS7QxJnYV7tJJMA+mEgcvJMjucBZ6:y4TnOSYYV7XJMA+byuW6
Size:	640512
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected DCRat	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Virtualization/Sandbox Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Executes batch files	System Summary	Scripting
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses Microsoft Silverlight	System Summary

C:\Users\user\Desktop\gOvRVAND.log

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\Desktop\gOvRVAND.log
Category:	dropped
Dump:	gOvRVAND.log.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Users\user\AppData\Roaming\ms_updater.exe
Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.932541123129161
Encrypted:	false
Ssdeep:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
Size:	69632
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\Desktop\mHYqxgSr.log

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\Desktop\mHYqxgSr.log
Category:	dropped
Dump:	mHYqxgSr.log.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Users\user\AppData\Roaming\ms_updater.exe
Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.4346552043530165
Encrypted:	false
Ssdeep:	384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
Size:	24064
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ms_updater.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ms_updater.exe.log
Category:	dropped
Dump:	ms_updater.exe.log.3.dr
ID:	dr_6
Target ID:	3
Process:	C:\Users\user\AppData\Roaming\ms_updater.exe
Type:	CSV text
Entropy:	5.36827240602657
Encrypted:	false
Ssdeep:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKk+HKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKk+qZ4vtpv
Size:	1740
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\LLzNk9wqw6

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\LLzNk9wqw6
Category:	dropped
Dump:	LLzNk9wqw6.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Users\user\AppData\Roaming\ms_updater.exe
Type:	ASCII text, with no line terminators
Entropy:	4.4838561897747224
Encrypted:	false
Ssdeep:	3:GxC3GLIbVTn:GxCsyTn
Size:	25
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Roaming\ms_tool.exe

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\ms_tool.exe
Category:	dropped
Dump:	ms_tool.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\1hibLFnCm1.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	5.181595394449682
Encrypted:	false
Ssdeep:	384:abquDyuX3PMD1A77ciNqC/Elsrl+0+/QlDIINvB0WLFW:gquuuHPMDinDY9al+0WQFNvBZ
Size:	18944
Whitelisted:	true
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to call native functions	System Summary
Contains functionality to communicate with device drivers	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

\Device\Null

ASCII text

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.8.dr
ID:	dr_7
Target ID:	8
Process:	C:\Windows\System32\w32tm.exe
Type:	ASCII text
Entropy:	4.759057333148783
Encrypted:	false
Ssdeep:	3:VLV993J+miJWEoJ8FXxX9RStbMGOZ8XKvobPKvj:Vx993DEU2tRCMGE8F7s
Size:	151
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\1hibLFnCm1.exe

"C:\Users\user\Desktop\1hibLFnCm1.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6532
Target ID:	0
Parent PID:	2580
Name:	1hibLFnCm1.exe
Path:	C:\Users\user\Desktop\1hibLFnCm1.exe
Commandline:	"C:\Users\user\Desktop\1hibLFnCm1.exe"
Size:	906240
MD5:	2196EDD4AD9D7E8CA345339A66E2FED5
Time:	09:52:02
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf50000
Modulesize:	925696
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected DCRat	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Roaming\ms_updater.exe

"C:\Users\user\AppData\Roaming\ms_updater.exe"

Details

Is windows:	false
Is dropped:	true
PID:	6768
Target ID:	3
Parent PID:	6532
Name:	ms_updater.exe
Path:	C:\Users\user\AppData\Roaming\ms_updater.exe
Commandline:	"C:\Users\user\AppData\Roaming\ms_updater.exe"
Size:	640512
MD5:	CEAC3DE237F6B1DC4B279D8E5F5B3689
Time:	09:52:03
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd90000
Modulesize:	663552
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected DCRat	Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\ms_tool.exe

"C:\Users\user\AppData\Roaming\ms_tool.exe"

Details

Is windows:	false
Is dropped:	true
PID:	6672
Target ID:	1
Parent PID:	6532
Name:	ms_tool.exe
Path:	C:\Users\user\AppData\Roaming\ms_tool.exe
Commandline:	"C:\Users\user\AppData\Roaming\ms_tool.exe"
Size:	18944
MD5:	F3EDFF85DE5FD002692D54A04BCB1C09
Time:	09:52:03
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff68c5e0000
Modulesize:	40960
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6696
Target ID:	2
Parent PID:	6672
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:52:03
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat"

Details

Is windows:	true
Is dropped:	false
PID:	7096
Target ID:	5
Parent PID:	6768
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat"
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	09:52:08
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff78c3f0000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3940
Target ID:	6
Parent PID:	7096
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:52:08
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\chcp.com

chcp 65001

Details

Is windows:	true
Is dropped:	false
PID:	6716
Target ID:	7
Parent PID:	7096
Name:	chcp.com
Path:	C:\Windows\System32\chcp.com
Commandline:	chcp 65001
Size:	14848
MD5:	33395C4732A49065EA72590B14B64F32
Time:	09:52:09
Date:	03/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff696430000
Modulesize:	36864
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Details

Is windows:	true
Is dropped:	false
PID:	6600
Target ID:	8
Parent PID:	7096
Name:	w32tm.exe
Path:	C:\Windows\System32\w32tm.exe
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Size:	108032
MD5:	81A82132737224D324A3E8DA993E2FB5
Time:	09:52:09
Date:	03/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff65dea0000
Modulesize:	126976
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://118621cm.n9shteam2.top/

unknown

http://118621cm.n9shteam2.top/protecttrackDatalifePrivateCentral.php

104.21.90.190

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://www.fontbureau.com/designers?

unknown

http://www.tiro.com

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://118621cm.n9shteX

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://118621cm.n9shteam2.top

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.sakkal.com

unknown

There are 20 hidden URLs, click here to show them.

Domains

Name

Malicious

118621cm.n9shteam2.top

104.21.90.190

Details

Name:	118621cm.n9shteam2.top
IP:	104.21.90.190
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

104.21.90.190

118621cm.n9shteam2.top

United States

Details

IP:	104.21.90.190
TargetID:	3
Current Path:	C:\Users\user\AppData\Roaming\ms_updater.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	118621cm.n9shteam2.top

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\a7826988ae199588b0a428293d027e79d80232cd

171823069b6502484221899169503f7fbaed6ee1

HKEY_CURRENT_USER\SOFTWARE\AjqVFPjRdUMLGTTtnlMEjUReAbQurGJk

AjqVFPjRdUMLGTTtnlMEjUReAbQurGJk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ms_updater_RASMANCS

FileDirectory

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

LangID

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\cmd.exe.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\cmd.exe.ApplicationCompany

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

F8D000

unkown

page read and write

314B000

trusted library allocation

page read and write

D92000

unkown

page readonly

2FD1000

trusted library allocation

page read and write

7FFD9BBD2000

trusted library allocation

page read and write

F30000

heap

page read and write

1BA5E000

heap

page read and write

33A6000

trusted library allocation

page read and write

1BAC5000

heap

page read and write

131F000

heap

page read and write

7FFD9BB55000

trusted library allocation

page read and write

12E0000

heap

page read and write

7FF68C5E0000

unkown

page readonly

B3A000

heap

page read and write

C60000

heap

page read and write

1B940000

trusted library section

page readonly

7FF68C5E1000

unkown

page execute read

1ED96000

heap

page read and write

B30000

heap

page read and write

7FFD9B9A4000

trusted library allocation

page read and write

1BA75000

heap

page read and write

B721A7C000

stack

page read and write

1B910000

trusted library allocation

page read and write

102F000

unkown

page readonly

1ECBE000

heap

page read and write

F50000

unkown

page readonly

25487580000

heap

page read and write

1550000

trusted library allocation

page read and write

1B920000

heap

page execute and read and write

1F61B760000

heap

page read and write

1B35F000

heap

page read and write

1590000

unkown

page readonly

1592000

unkown

page readonly

12F754B0000

heap

page read and write

7FFD9BC80000

trusted library allocation

page read and write

C50000

heap

page read and write

1F61BA80000

heap

page read and write

132ED000

trusted library allocation

page read and write

33CE000

stack

page read and write

12F753B7000

heap

page read and write

7FFD9B9A0000

trusted library allocation

page read and write

331D000

trusted library allocation

page read and write

1BDFE000

stack

page read and write

330E000

trusted library allocation

page read and write

7FF68C5E0000

unkown

page readonly

15C0000

heap

page read and write

2FCE000

stack

page read and write

1DB8E000

stack

page read and write

1B8F0000

heap

page read and write

F7A000

unkown

page readonly

1BA79000

heap

page read and write

304E000

stack

page read and write

C71ACFF000

stack

page read and write

7FFD9BB29000

trusted library allocation

page read and write

1BAA7000

heap

page read and write

1CFC4FE000

stack

page read and write

1BA27000

heap

page read and write

F89000

unkown

page read and write

2E70000

unkown

page readonly

ECE000

stack

page read and write

1309000

heap

page read and write

331B000

trusted library allocation

page read and write

2E72000

unkown

page readonly

F8A000

unkown

page write copy

314E000

stack

page read and write

113E000

stack

page read and write

B721AFF000

stack

page read and write

1BA95000

heap

page read and write

130B7000

trusted library allocation

page read and write

7FFD9B99D000

trusted library allocation

page execute and read and write

328E000

stack

page read and write

1DD8B000

stack

page read and write

1CFC1AB000

stack

page read and write

1ECAC000

heap

page read and write

12F753B7000

heap

page read and write

7FFD9BBC0000

trusted library allocation

page execute and read and write

1ED9C000

heap

page read and write

F8D000

unkown

page write copy

1E076000

stack

page read and write

13115000

trusted library allocation

page read and write

3143000

trusted library allocation

page read and write

1C28F000

stack

page read and write

1E17A000

stack

page read and write

1B9F3000

heap

page read and write

1F61B768000

heap

page read and write

254875FA000

heap

page read and write

1E61C000

stack

page read and write

1E180000

heap

page read and write

1DA8E000

stack

page read and write

3160000

heap

page read and write

7FFD9B980000

trusted library allocation

page read and write

1F61B720000

heap

page read and write

1B000000

trusted library allocation

page read and write

7FFD9B983000

trusted library allocation

page execute and read and write

131E0000

trusted library allocation

page read and write

7FFD9BC70000

trusted library allocation

page read and write

F8B000

unkown

page read and write

1BCFE000

stack

page read and write

1BFF6000

stack

page read and write

7FF68C5E7000

unkown

page readonly

12F754C0000

heap

page read and write

364B000

stack

page read and write

FC0000

heap

page read and write

F51000

unkown

page execute read

1BA00000

heap

page read and write

F70000

stack

page read and write

7FFD9BBE0000

trusted library allocation

page execute and read and write

12FDE000

trusted library allocation

page read and write

2E90000

heap

page execute and read and write

34CF000

stack

page read and write

2EC0000

heap

page execute and read and write

7FFD9BA3C000

trusted library allocation

page execute and read and write

1DF76000

heap

page read and write

7FFD9BA66000

trusted library allocation

page execute and read and write

7FFD9BB90000

trusted library allocation

page read and write

7FFD9BA36000

trusted library allocation

page read and write

3396000

trusted library allocation

page read and write

7FFD9BA30000

trusted library allocation

page read and write

13125000

trusted library allocation

page read and write

1ECEF000

heap

page read and write

D40000

heap

page read and write

254875A0000

heap

page read and write

12FD000

heap

page read and write

7FFD9B9DC000

trusted library allocation

page execute and read and write

12FD1000

trusted library allocation

page read and write

1CFC47E000

stack

page read and write

C65000

heap

page read and write

1B9F0000

heap

page read and write

1ED80000

heap

page read and write

FE0000

heap

page read and write

1BA9E000

heap

page read and write

7FFD9BC90000

trusted library allocation

page read and write

1EDD5000

heap

page read and write

1F61B730000

heap

page read and write

374C000

stack

page read and write

F89000

unkown

page write copy

B721B7F000

stack

page read and write

1F61B930000

heap

page read and write

350E000

stack

page read and write

7FFD9BC60000

trusted library allocation

page execute and read and write

1C236000

stack

page read and write

1322000

heap

page read and write

7FFD9B984000

trusted library allocation

page read and write

7FFD9BB20000

trusted library allocation

page read and write

254875F0000

heap

page read and write

1B950000

heap

page read and write

2E84000

unkown

page readonly

25487925000

heap

page read and write

1305B000

trusted library allocation

page read and write

15A0000

heap

page read and write

1DF70000

heap

page read and write

1EDBD000

heap

page read and write

1C03E000

stack

page read and write

1530000

trusted library allocation

page read and write

AFD000

stack

page read and write

30D6000

trusted library allocation

page read and write

1ED90000

heap

page read and write

7FFD9BB60000

trusted library allocation

page read and write

1EC90000

heap

page read and write

7FF68C5E1000

unkown

page execute read

1FF80000

trusted library allocation

page read and write

7FFD9B9AB000

trusted library allocation

page execute and read and write

C71AC7B000

stack

page read and write

7FFD9BB30000

trusted library allocation

page read and write

12F753A9000

heap

page read and write

14DE000

stack

page read and write

254875F8000

heap

page read and write

102F000

unkown

page readonly

7FFD9BBA0000

trusted library allocation

page read and write

1D89E000

stack

page read and write

25487920000

heap

page read and write

130BF000

trusted library allocation

page read and write

E8D000

stack

page read and write

3140000

trusted library allocation

page read and write

B64000

heap

page read and write

7FFD9B9AD000

trusted library allocation

page execute and read and write

1BAA9000

heap

page read and write

12EC000

heap

page read and write

1B56C000

stack

page read and write

7FFD9B993000

trusted library allocation

page read and write

338F000

stack

page read and write

134D000

heap

page read and write

7FFD9BAA0000

trusted library allocation

page execute and read and write

12D5000

heap

page read and write

379E000

stack

page read and write

1EC80000

heap

page read and write

1BA57000

heap

page read and write

1ECCD000

heap

page read and write

7FFD9BBB0000

trusted library allocation

page execute and read and write

15C5000

heap

page read and write

7FF68C5E4000

unkown

page readonly

134B000

heap

page read and write

7FFD9BB80000

trusted library allocation

page read and write

389F000

stack

page read and write

D90000

unkown

page readonly

25487570000

heap

page read and write

131A4000

trusted library allocation

page read and write

2A1D000

stack

page read and write

360F000

stack

page read and write

7FFD9B98D000

trusted library allocation

page execute and read and write

7FFD9BB50000

trusted library allocation

page read and write

1BA7C000

heap

page read and write

363F000

trusted library allocation

page read and write

D8E000

stack

page read and write

1E378000

stack

page read and write

12F75290000

heap

page read and write

F51000

unkown

page execute read

7FF68C5E4000

unkown

page readonly

2B1E000

stack

page read and write

7FFD9BA40000

trusted library allocation

page execute and read and write

311E000

trusted library allocation

page read and write

7FFD9BB70000

trusted library allocation

page read and write

1C138000

stack

page read and write

14E0000

heap

page read and write

F50000

unkown

page readonly

13BC000

heap

page read and write

7FF456660000

trusted library allocation

page execute and read and write

12F753A0000

heap

page read and write

D90000

unkown

page readonly

3130000

trusted library allocation

page read and write

FB0000

heap

page read and write

12F75370000

heap

page read and write

7FF68C5E7000

unkown

page readonly

7FFD9BBD0000

trusted library allocation

page read and write

1B923000

heap

page execute and read and write

1BBFE000

stack

page read and write

B3E000

heap

page read and write

2BB0000

heap

page read and write

12D0000

heap

page read and write

F7A000

unkown

page readonly

1C38D000

stack

page read and write

1BA21000

heap

page read and write

1EDD7000

heap

page read and write

2B90000

heap

page read and write

3150000

heap

page read and write

7FC000

stack

page read and write

16CE000

stack

page read and write

7FFD9BB42000

trusted library allocation

page read and write

1FFA2000

trusted library allocation

page read and write

There are 229 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
1hibLFnCm1.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report1hibLFnCm1.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
1hibLFnCm1.exe