Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

rcrypt.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.10495280601298
Filename:	rcrypt.exe
Filesize:	1155072
MD5:	f91e3211d607a74a7635027718dd9701
SHA1:	cb9584d3ce55ab6191d79f841ab135404b733e6d
SHA256:	6e1995af5434855d121995cd5d5e2c6bcfd3bca269845b0579bc8e133784732d
SHA512:	45fea237a179ffcdef01cfe666f625d22e0dcda24557cabe69acccd2ef0a8bed6f64df82d76361b690ff3e3c95c0c2b08d36f2cccd8953b84eb3182c1cef8f63
SSDEEP:	24576:cAHnh+eWsN3skA4RV1Hom2KXMmHaqAktvLbWu9xk5:7h+ZkldoPK8YaqAktva
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection	Security Software Discovery
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Security Software Discovery Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery Application Window Discovery
Contains functionality to communicate with device drivers	System Summary	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation
Contains functionality to launch a process as a different user	System Summary	Security Software Discovery
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Security Software Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality	Security Software Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Security Software Discovery
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Security Software Discovery
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion	Security Software Discovery
Reads software policies	System Summary	Security Software Discovery
Sample is known by Antivirus	System Summary	Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\Montevideo

ASCII text, with very long lines (28674), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Montevideo
Category:	dropped
Dump:	Montevideo.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\rcrypt.exe
Type:	ASCII text, with very long lines (28674), with no line terminators
Entropy:	3.5752314699879224
Encrypted:	false
Ssdeep:	192:aIU0YzxURqp0m5Y+25yeDE49yry+a9ydKKqQl8Ep1zMHPLD1LXVBvbcENwwZUU1J:rYzxrp0FwaI4EYVLXDXZZRdj8Z8d4509
Size:	28674
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut63AD.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut63AD.tmp
Category:	dropped
Dump:	aut63AD.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\rcrypt.exe
Type:	data
Entropy:	7.978841009672462
Encrypted:	false
Ssdeep:	6144:OovXrxfhfl1Vd27qpsAYfKCCP12clP2ILsO9c:Hj9b1/6qpMf+N2WLs
Size:	242996
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut640C.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut640C.tmp
Category:	dropped
Dump:	aut640C.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\rcrypt.exe
Type:	data
Entropy:	7.628822916555129
Encrypted:	false
Ssdeep:	192:ZfyKC/lyEAZDgmFVZYQl/sumysD8X7JHhwlct7GSMHHYhTz:Ry5NyVDgaLEPD8lHhVKfHeTz
Size:	9718
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\holloing

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\holloing
Category:	dropped
Dump:	holloing.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\rcrypt.exe
Type:	data
Entropy:	7.843281995168921
Encrypted:	false
Ssdeep:	6144:x/uDBzQQ1FNN1wyVn1KP/C1MHHX6bBM6UmHmWtmzG:x2xQQ191JIk43YBM6USmPG
Size:	248832
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\rcrypt.exe

"C:\Users\user\Desktop\rcrypt.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7628
Target ID:	0
Parent PID:	3504
Name:	rcrypt.exe
Path:	C:\Users\user\Desktop\rcrypt.exe
Commandline:	"C:\Users\user\Desktop\rcrypt.exe"
Size:	1155072
MD5:	F91E3211D607A74A7635027718DD9701
Time:	08:47:23
Date:	24/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf0000
Modulesize:	1179648
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\rcrypt.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7692
Target ID:	2
Parent PID:	7628
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\rcrypt.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	08:47:24
Date:	24/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7b0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected VIP Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

https://www.office.com/

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://sectigo.com/CPS0

unknown

https://api.telegram.org

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://api.telegram.org/bot

unknown

https://www.office.com/lB

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://checkip.dyndns.org

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20and%20Time:%2025/07/2024%20/%2001:28:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20849224%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

149.154.167.220

https://api.telegram.org/bot/sendMessage?chat_id=&text=

unknown

https://chrome.google.com/webstore?hl=en

unknown

https://www.ecosia.org/newtab/

unknown

http://varders.kozow.com:8081

unknown

http://aborters.duckdns.org:8081

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://mail.logosbd.net

unknown

http://checkip.dyndns.org/

158.101.44.242

http://51.38.247.67:8081/_send_.php?L

unknown

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://anotherarmy.dns.army:8081

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://checkip.dyndns.org/q

unknown

https://reallyfreegeoip.org

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://logosbd.net

unknown

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20a

unknown

http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 23 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

mail.logosbd.net

unknown

Details

Name:	mail.logosbd.net
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

bg.microsoft.map.fastly.net

199.232.214.172

checkip.dyndns.com

158.101.44.242

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

202.4.96.3

unknown

Bangladesh

Details

IP:	202.4.96.3
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Bangladesh
Countrycode:	BGD
ASN number:	23956
ASN name:	AMBERIT-BD-ASAmberITLimitedBD
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking

158.101.44.242

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

4006000

trusted library allocation

page read and write

2A39000

heap

page read and write

2F61000

trusted library allocation

page read and write

2E60000

trusted library section

page read and write

2B60000

trusted library section

page read and write

36B9000

direct allocation

page read and write

AE2000

heap

page read and write

2A00000

trusted library allocation

page read and write

40B0000

trusted library allocation

page read and write

377E000

direct allocation

page read and write

2E5E000

stack

page read and write

3243000

trusted library allocation

page read and write

E45000

heap

page read and write

3021000

trusted library allocation

page read and write

3709000

direct allocation

page read and write

2CEE000

stack

page read and write

9DC000

stack

page read and write

DA3000

trusted library allocation

page read and write

5550000

trusted library allocation

page execute and read and write

5610000

heap

page read and write

6790000

trusted library allocation

page read and write

BF3000

heap

page read and write

32E6000

trusted library allocation

page read and write

310000

heap

page read and write

31B9000

trusted library allocation

page read and write

2880000

trusted library allocation

page read and write

53A0000

trusted library allocation

page read and write

370D000

direct allocation

page read and write

5560000

trusted library allocation

page read and write

A82000

heap

page read and write

42B2000

trusted library allocation

page read and write

3113000

trusted library allocation

page read and write

40E4000

trusted library allocation

page read and write

168E000

stack

page read and write

2D50000

heap

page read and write

DC7000

trusted library allocation

page execute and read and write

3428000

trusted library allocation

page read and write

3440000

direct allocation

page read and write

FDF000

stack

page read and write

A8B000

heap

page read and write

370D000

direct allocation

page read and write

2D0E000

trusted library allocation

page read and write

9CE000

stack

page read and write

42BD000

trusted library allocation

page read and write

676E000

stack

page read and write

42B7000

trusted library allocation

page read and write

C75000

heap

page read and write

DCB000

trusted library allocation

page execute and read and write

C37000

trusted library allocation

page read and write

30E0000

trusted library allocation

page read and write

30E8000

trusted library allocation

page read and write

33F0000

direct allocation

page read and write

3060000

heap

page read and write

2F2C000

trusted library allocation

page read and write

3064000

heap

page read and write

3440000

direct allocation

page read and write

372E000

direct allocation

page read and write

304C000

trusted library allocation

page read and write

5A7D000

trusted library allocation

page read and write

2CF0000

heap

page execute and read and write

42AE000

trusted library allocation

page read and write

6870000

trusted library allocation

page read and write

36BD000

direct allocation

page read and write

4082000

trusted library allocation

page read and write

33B0000

direct allocation

page read and write

DA0000

trusted library allocation

page read and write

3563000

direct allocation

page read and write

2D1A000

trusted library allocation

page read and write

C00000

heap

page read and write

30FF000

trusted library allocation

page read and write

BFE000

stack

page read and write

AE2000

heap

page read and write

1210000

heap

page read and write

A5A000

stack

page read and write

C20000

trusted library allocation

page read and write

2EF0000

trusted library allocation

page execute and read and write

4340000

trusted library allocation

page read and write

53B0000

trusted library allocation

page execute and read and write

AF4000

heap

page read and write

1B8000

unkown

page readonly

63EE000

stack

page read and write

65EE000

stack

page read and write

6826000

trusted library allocation

page read and write

DB2000

trusted library allocation

page read and write

11F0000

trusted library allocation

page execute and read and write

BD4000

heap

page read and write

2D21000

trusted library allocation

page read and write

16E0000

heap

page read and write

67B0000

trusted library allocation

page read and write

9FC000

stack

page read and write

540A000

heap

page read and write

325C000

trusted library allocation

page read and write

42CC000

trusted library allocation

page read and write

4209000

trusted library allocation

page read and write

2D2D000

trusted library allocation

page read and write

3590000

direct allocation

page read and write

AF3000

heap

page read and write

AF3000

heap

page read and write

29F0000

trusted library allocation

page read and write

C70000

heap

page read and write

DB6000

trusted library allocation

page execute and read and write

3015000

trusted library allocation

page read and write

5A60000

trusted library allocation

page execute and read and write

A8B000

heap

page read and write

6854000

trusted library allocation

page read and write

D9D000

trusted library allocation

page execute and read and write

550D000

stack

page read and write

2FD7000

trusted library allocation

page read and write

3709000

direct allocation

page read and write

30CC000

trusted library allocation

page read and write

40F7000

trusted library allocation

page read and write

2FCD000

trusted library allocation

page read and write

5A4F000

stack

page read and write

DC5000

trusted library allocation

page execute and read and write

3104000

trusted library allocation

page read and write

6860000

trusted library allocation

page read and write

32F0000

trusted library allocation

page read and write

A8C000

heap

page read and write

54A5000

heap

page read and write

36BD000

direct allocation

page read and write

53D0000

heap

page read and write

DE0000

heap

page read and write

53A5000

trusted library allocation

page read and write

33F0000

direct allocation

page read and write

290C000

stack

page read and write

3292000

trusted library allocation

page read and write

35E0000

direct allocation

page read and write

53C0000

heap

page execute and read and write

662E000

stack

page read and write

3F0000

heap

page read and write

2BC0000

trusted library allocation

page read and write

42A1000

trusted library allocation

page read and write

D70000

trusted library section

page read and write

2B5E000

stack

page read and write

65AF000

stack

page read and write

3590000

direct allocation

page read and write

1B8000

unkown

page readonly

2FB6000

trusted library allocation

page read and write

41CB000

trusted library allocation

page read and write

16F0000

direct allocation

page execute and read and write

62EE000

stack

page read and write

3298000

trusted library allocation

page read and write

DBA000

trusted library allocation

page execute and read and write

666E000

stack

page read and write

3FC8000

trusted library allocation

page read and write

DC2000

trusted library allocation

page read and write

128E000

stack

page read and write

D80000

trusted library allocation

page read and write

2EC0000

trusted library allocation

page read and write

D93000

trusted library allocation

page execute and read and write

42C6000

trusted library allocation

page read and write

420C000

trusted library allocation

page read and write

2D26000

trusted library allocation

page read and write

40CE000

trusted library allocation

page read and write

29A000

stack

page read and write

BC0000

heap

page read and write

3249000

trusted library allocation

page read and write

2910000

trusted library allocation

page execute and read and write

3513000

direct allocation

page read and write

1B3000

unkown

page write copy

2F50000

heap

page read and write

BF4000

heap

page read and write

6CA0000

heap

page read and write

1710000

heap

page read and write

35E0000

direct allocation

page read and write

31D3000

trusted library allocation

page read and write

323E000

trusted library allocation

page read and write

F0000

unkown

page readonly

3590000

direct allocation

page read and write

F1000

unkown

page execute read

4356000

trusted library allocation

page read and write

3F61000

trusted library allocation

page read and write

377E000

direct allocation

page read and write

2D0B000

trusted library allocation

page read and write

32EC000

trusted library allocation

page read and write

539E000

stack

page read and write

DAD000

trusted library allocation

page execute and read and write

30BC000

trusted library allocation

page read and write

AF3000

heap

page read and write

6770000

trusted library allocation

page execute and read and write

53DC000

heap

page read and write

2D06000

trusted library allocation

page read and write

F1000

unkown

page execute read

3440000

direct allocation

page read and write

372E000

direct allocation

page read and write

3563000

direct allocation

page read and write

17F000

unkown

page readonly

BF3000

heap

page read and write

310E000

trusted library allocation

page read and write

3252000

trusted library allocation

page read and write

53D4000

heap

page read and write

A8C000

heap

page read and write

32D0000

trusted library allocation

page read and write

422C000

trusted library allocation

page read and write

4233000

trusted library allocation

page read and write

372E000

direct allocation

page read and write

E10000

heap

page read and write

3108000

trusted library allocation

page read and write

2938000

trusted library allocation

page read and write

D50000

heap

page read and write

3513000

direct allocation

page read and write

2F2A000

trusted library allocation

page read and write

328C000

trusted library allocation

page read and write

B63000

heap

page read and write

41B6000

trusted library allocation

page read and write

426000

system

page execute and read and write

2F42000

trusted library allocation

page read and write

3709000

direct allocation

page read and write

2D32000

trusted library allocation

page read and write

1A5000

unkown

page readonly

A84000

heap

page read and write

3FD9000

trusted library allocation

page read and write

BF3000

heap

page read and write

67A0000

trusted library allocation

page execute and read and write

2F20000

trusted library allocation

page read and write

301D000

trusted library allocation

page read and write

400000

system

page execute and read and write

33F0000

direct allocation

page read and write

594E000

stack

page read and write

3019000

trusted library allocation

page read and write

E56000

heap

page read and write

3117000

trusted library allocation

page read and write

D94000

trusted library allocation

page read and write

4123000

trusted library allocation

page read and write

BB0000

heap

page read and write

C30000

trusted library allocation

page read and write

BD5000

heap

page read and write

28CE000

stack

page read and write

1AF000

unkown

page write copy

17F000

unkown

page readonly

3563000

direct allocation

page read and write

6780000

trusted library allocation

page execute and read and write

41DE000

trusted library allocation

page read and write

53D2000

heap

page read and write

A8C000

heap

page read and write

5A50000

trusted library allocation

page execute and read and write

35E0000

direct allocation

page read and write

DE8000

heap

page read and write

300D000

trusted library allocation

page read and write

4238000

trusted library allocation

page read and write

407E000

trusted library allocation

page read and write

E98000

heap

page read and write

2A10000

heap

page read and write

3285000

trusted library allocation

page read and write

AD3000

heap

page read and write

2FDF000

trusted library allocation

page read and write

AE4000

heap

page read and write

3FEE000

trusted library allocation

page read and write

AF3000

heap

page read and write

3025000

trusted library allocation

page read and write

B4A000

heap

page read and write

4395000

trusted library allocation

page read and write

3513000

direct allocation

page read and write

AD2000

heap

page read and write

124E000

stack

page read and write

64AE000

stack

page read and write

BD4000

heap

page read and write

2FDB000

trusted library allocation

page read and write

B13000

heap

page read and write

A58000

heap

page read and write

4039000

trusted library allocation

page read and write

9BE000

stack

page read and write

DB0000

trusted library allocation

page read and write

AF3000

heap

page read and write

370D000

direct allocation

page read and write

C50000

trusted library allocation

page read and write

BCA000

heap

page read and write

42A8000

trusted library allocation

page read and write

127E000

stack

page read and write

29D0000

trusted library allocation

page read and write

42C0000

trusted library allocation

page read and write

53F0000

heap

page read and write

306F000

trusted library allocation

page read and write

BE3000

heap

page read and write

3FB3000

trusted library allocation

page read and write

36BD000

direct allocation

page read and write

32EA000

trusted library allocation

page read and write

1A5000

unkown

page readonly

2FC2000

trusted library allocation

page read and write

3005000

trusted library allocation

page read and write

2D35000

trusted library allocation

page read and write

1AF000

unkown

page read and write

32DE000

trusted library allocation

page read and write

3009000

trusted library allocation

page read and write

642E000

stack

page read and write

646E000

stack

page read and write

42E1000

trusted library allocation

page read and write

2923000

heap

page read and write

377E000

direct allocation

page read and write

AE3000

heap

page read and write

B57000

stack

page read and write

40AD000

trusted library allocation

page read and write

3261000

trusted library allocation

page read and write

F0000

unkown

page readonly

429B000

trusted library allocation

page read and write

42BB000

trusted library allocation

page read and write

2EE0000

trusted library allocation

page read and write

2930000

trusted library allocation

page read and write

2920000

heap

page read and write

5433000

heap

page read and write

E1D000

heap

page read and write

4159000

trusted library allocation

page read and write

3011000

trusted library allocation

page read and write

A50000

heap

page read and write

2D1E000

trusted library allocation

page read and write

4226000

trusted library allocation

page read and write

4143000

trusted library allocation

page read and write

C40000

trusted library allocation

page read and write

300000

heap

page read and write

3265000

trusted library allocation

page read and write

32E4000

trusted library allocation

page read and write

43F000

system

page execute and read and write

4369000

trusted library allocation

page read and write

36B9000

direct allocation

page read and write

A3E000

stack

page read and write

53D6000

heap

page read and write

2D00000

trusted library allocation

page read and write

32E1000

trusted library allocation

page read and write

C60000

trusted library section

page read and write

AF2000

heap

page read and write

5A70000

trusted library allocation

page read and write

D90000

trusted library allocation

page read and write

6868000

trusted library allocation

page read and write

36B9000

direct allocation

page read and write

2BE0000

heap

page read and write

There are 315 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
rcrypt.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportrcrypt.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
rcrypt.exe