IOC Report
mKSqEhZ4Up.exe

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\mKSqEhZ4Up.exe

"C:\Users\user\Desktop\mKSqEhZ4Up.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6148
Target ID:	0
Parent PID:	1028
Name:	mKSqEhZ4Up.exe
Path:	C:\Users\user\Desktop\mKSqEhZ4Up.exe
Commandline:	"C:\Users\user\Desktop\mKSqEhZ4Up.exe"
Size:	167250
MD5:	0D1DFFE113C3CEC1A3E64C036B363709
Time:	08:08:55
Date:	29/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x8d0000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\tapi32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\tapi32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\tapi32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\tapi32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\tapi32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\tapi32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\tapi32

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Main Window Left/Top

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 6

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 7

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 8

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 9

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 10

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 11

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 12

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 13

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 14

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 15

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 16

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 17

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 18

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 19

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Dialer

Last dialed 20

There are 19 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

7BC000

stack

page read and write

2DE0000

heap

page read and write

482F000

stack

page read and write

2943000

heap

page read and write

2D4E000

stack

page read and write

2924000

heap

page read and write

2956000

heap

page read and write

45F0000

heap

page read and write

47AF000

stack

page read and write

7600000

trusted library allocation

page read and write

8D0000

unkown

page readonly

4634000

heap

page read and write

2D0E000

stack

page read and write

2928000

heap

page read and write

2938000

heap

page read and write

820000

heap

page read and write

2900000

heap

page read and write

8C5000

heap

page read and write

8D0000

unkown

page readonly

2924000

heap

page read and write

2939000

heap

page read and write

476E000

stack

page read and write

8D1000

unkown

page execute read

8D8000

unkown

page readonly

2943000

heap

page read and write

8D8000

unkown

page readonly

4630000

heap

page read and write

2935000

heap

page read and write

2956000

heap

page read and write

2D90000

heap

page read and write

8D1000

unkown

page execute read

86E000

stack

page read and write

292D000

heap

page read and write

77A000

stack

page read and write

8B0000

heap

page read and write

2920000

heap

page read and write

2938000

heap

page read and write

47EE000

stack

page read and write

8C0000

heap

page read and write

2938000

heap

page read and write

2943000

heap

page read and write

8AF000

stack

page read and write

8C9000

heap

page read and write

2938000

heap

page read and write

292A000

heap

page read and write

2908000

heap

page read and write

There are 36 hidden memdumps, click here to show them.