Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.985929905968456
Filename:	file.exe
Filesize:	320512
MD5:	324d2a434b8a3e038661a75587e303b8
SHA1:	21e1be17da8e401a5928f5cdf5c262cefb305910
SHA256:	5d06ec15c9349e9ae13d477fdab3d1a50b9bf784a726aff3a48dbcd5f99e493a
SHA512:	eaf7d0393a62b2187614b3234a280d938ac2cbb9659117b39b2d482c909dea207b685ff7be46b4045468628958a03aa460f9dbc71b1566f54f2f252c934fd374
SSDEEP:	6144:xJcrjyufnjS1Ht3pHjDNItvNoCOD6iuh52HK7q1BU0H:HUuufjSVbJnn650K21
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. .......................@............`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
.NET source code contains very large array initializations	System Summary	Process Injection Disable or Modify Tools
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Process Injection Masquerading
Binary may include packed or encrypted code	Data Obfuscation	Process Injection Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Process Injection
Contains functionality to modify the execution of threads in other processes
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Process Injection Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a debug data directory	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Category:	dropped
Dump:	file.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.0050635535766075
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUy:Q3La/xwQ
Size:	42
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 06:54:41 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.3.dr
ID:	dr_5
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 06:54:41 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
Entropy:	3.4758329679244717
Encrypted:	false
Ssdeep:	48:8SJM7dvTgtX0lRYrnvPdAKRkdAGdAKRFdAKRr:8SecR7
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Category:	dropped
Dump:	RegAsm.exe.log.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
Size:	3274
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\TmpD772.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\TmpD772.tmp
Category:	dropped
Dump:	TmpD772.tmp.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Local\Temp\TmpD782.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\TmpD782.tmp
Category:	dropped
Dump:	TmpD782.tmp.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6020
Target ID:	0
Parent PID:	4056
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	320512
MD5:	324D2A434B8A3E038661A75587E303B8
Time:	13:36:02
Date:	05/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd90000
Modulesize:	344064
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6408
Target ID:	3
Parent PID:	6020
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	13:36:02
Date:	05/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd50000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6068
Target ID:	1
Parent PID:	6020
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	13:36:02
Date:	05/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

185.215.113.22:80

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback

unknown

http://tempuri.org/Entity/Id3ResponseD

unknown

http://tempuri.org/Entity/Id23Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT

unknown

http://tempuri.org/D

unknown

http://schemas.xmlsoap.org/ws/2004/06/addressingex

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

api.ip.sb

unknown

IPs

Domain

Country

Malicious

185.215.113.22

unknown

Portugal

Details

IP:	185.215.113.22
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Portugal
Countrycode:	PRT
ASN number:	206894
ASN name:	WHOLESALECONNECTIONSNL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

There are 11 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

4085000

trusted library allocation

page read and write

7110000

trusted library allocation

page read and write

437000

remote allocation

page execute and read and write

73D01000

unkown

page execute read

4473000

trusted library allocation

page read and write

69CD000

stack

page read and write

9C28000

trusted library allocation

page read and write

7080000

trusted library allocation

page read and write

9953000

heap

page read and write

75DE000

trusted library allocation

page read and write

5624000

trusted library allocation

page read and write

9980000

heap

page read and write

7010000

trusted library allocation

page read and write

43FB000

trusted library allocation

page read and write

1340000

trusted library allocation

page read and write

30C1000

trusted library allocation

page read and write

9BF5000

trusted library allocation

page read and write

4485000

trusted library allocation

page read and write

12A3000

heap

page read and write

5710000

trusted library allocation

page read and write

3348000

trusted library allocation

page read and write

563E000

trusted library allocation

page read and write

5960000

heap

page execute and read and write

9BF2000

trusted library allocation

page read and write

2DFE000

stack

page read and write

4446000

trusted library allocation

page read and write

9A15000

heap

page read and write

149B000

trusted library allocation

page execute and read and write

14B0000

heap

page read and write

990D000

heap

page read and write

6E70000

trusted library allocation

page read and write

15A4000

trusted library allocation

page read and write

D92000

unkown

page readonly

440B000

trusted library allocation

page read and write

56A3000

heap

page read and write

12AE000

stack

page read and write

515E000

stack

page read and write

157F000

stack

page read and write

446C000

trusted library allocation

page read and write

6E60000

trusted library allocation

page read and write

9A5E000

heap

page read and write

9D3D000

stack

page read and write

7060000

trusted library allocation

page execute and read and write

6E80000

heap

page execute and read and write

56C0000

trusted library allocation

page read and write

A840000

trusted library allocation

page read and write

6414000

heap

page read and write

7F0C0000

trusted library allocation

page execute and read and write

9C0A000

trusted library allocation

page read and write

698E000

stack

page read and write

1270000

heap

page read and write

4452000

trusted library allocation

page read and write

6FCE000

stack

page read and write

995E000

heap

page read and write

9917000

heap

page read and write

4435000

trusted library allocation

page read and write

439A000

trusted library allocation

page read and write

9EA0000

trusted library allocation

page read and write

307F000

stack

page read and write

10F7000

stack

page read and write

7090000

trusted library allocation

page execute and read and write

98D0000

heap

page read and write

36E1000

trusted library allocation

page read and write

43D0000

trusted library allocation

page read and write

3213000

trusted library allocation

page read and write

2F7E000

stack

page read and write

3714000

trusted library allocation

page read and write

3260000

trusted library allocation

page read and write

447E000

trusted library allocation

page read and write

6E30000

trusted library allocation

page execute and read and write

7525000

trusted library allocation

page read and write

8EAE000

stack

page read and write

8EB4000

trusted library allocation

page read and write

99F0000

heap

page read and write

997D000

heap

page read and write

441B000

trusted library allocation

page read and write

1580000

trusted library allocation

page read and write

4386000

trusted library allocation

page read and write

5963000

heap

page execute and read and write

326C000

trusted library allocation

page read and write

73D1F000

unkown

page readonly

58EE000

stack

page read and write

449B000

trusted library allocation

page read and write

75DA000

trusted library allocation

page read and write

6568000

trusted library allocation

page read and write

3169000

trusted library allocation

page read and write

12D0000

heap

page read and write

14B7000

heap

page read and write

2E30000

heap

page read and write

6E0C000

stack

page read and write

13A5000

heap

page read and write

9A0A000

heap

page read and write

31B4000

trusted library allocation

page read and write

582E000

stack

page read and write

42A3000

trusted library allocation

page read and write

31B0000

trusted library allocation

page read and write

5641000

trusted library allocation

page read and write

9C08000

trusted library allocation

page read and write

9C0F000

trusted library allocation

page read and write

36D3000

trusted library allocation

page read and write

438F000

trusted library allocation

page read and write

6FFE000

trusted library allocation

page read and write

7100000

trusted library allocation

page execute and read and write

75E0000

trusted library allocation

page read and write

429A000

trusted library allocation

page read and write

1482000

trusted library allocation

page read and write

3307000

trusted library allocation

page read and write

1593000

trusted library allocation

page execute and read and write

64AB000

heap

page read and write

9974000

heap

page read and write

107C000

stack

page read and write

309C000

stack

page read and write

725E000

stack

page read and write

7527000

trusted library allocation

page read and write

1296000

heap

page read and write

99E2000

heap

page read and write

1355000

heap

page read and write

3448000

trusted library allocation

page read and write

40CF000

trusted library allocation

page read and write

5700000

heap

page read and write

325E000

trusted library allocation

page read and write

12B0000

heap

page read and write

A740000

trusted library allocation

page read and write

1278000

heap

page read and write

15F0000

trusted library allocation

page execute and read and write

4437000

trusted library allocation

page read and write

5500000

trusted library allocation

page read and write

5950000

heap

page read and write

7540000

trusted library allocation

page read and write

715D000

stack

page read and write

14D0000

heap

page read and write

411A000

trusted library allocation

page read and write

146D000

trusted library allocation

page execute and read and write

8FA0000

trusted library allocation

page read and write

4189000

trusted library allocation

page read and write

6222000

heap

page read and write

33C4000

trusted library allocation

page read and write

73D00000

unkown

page readonly

6FF2000

trusted library allocation

page read and write

5620000

trusted library allocation

page read and write

56A0000

heap

page read and write

9BCC000

stack

page read and write

567E000

trusted library allocation

page read and write

9BF0000

trusted library allocation

page read and write

3702000

trusted library allocation

page read and write

525E000

stack

page read and write

147D000

trusted library allocation

page execute and read and write

15C1000

heap

page read and write

6459000

heap

page read and write

74FC000

stack

page read and write

4394000

trusted library allocation

page read and write

739E000

stack

page read and write

9948000

heap

page read and write

6ACE000

stack

page read and write

70E0000

trusted library allocation

page read and write

5530000

heap

page read and write

9C1F000

trusted library allocation

page read and write

437C000

trusted library allocation

page read and write

438C000

trusted library allocation

page read and write

428F000

trusted library allocation

page read and write

73D1D000

unkown

page read and write

6FDB000

trusted library allocation

page read and write

1492000

trusted library allocation

page read and write

A850000

trusted library allocation

page execute and read and write

15E0000

trusted library allocation

page read and write

643B000

heap

page read and write

33D4000

trusted library allocation

page read and write

1513000

heap

page read and write

7520000

trusted library allocation

page read and write

1464000

trusted library allocation

page read and write

370E000

trusted library allocation

page read and write

319A000

trusted library allocation

page read and write

6C50000

trusted library allocation

page read and write

31E5000

trusted library allocation

page read and write

992E000

heap

page read and write

400000

remote allocation

page execute and read and write

6E10000

trusted library allocation

page read and write

5B5F000

stack

page read and write

8FA7000

trusted library allocation

page read and write

4422000

trusted library allocation

page read and write

135A000

heap

page read and write

439F000

trusted library allocation

page read and write

329F000

trusted library allocation

page read and write

729E000

stack

page read and write

4383000

trusted library allocation

page read and write

7070000

trusted library allocation

page read and write

623E000

heap

page read and write

9C15000

trusted library allocation

page read and write

448B000

trusted library allocation

page read and write

9D7E000

stack

page read and write

9C20000

trusted library allocation

page read and write

5720000

trusted library allocation

page execute and read and write

5C5E000

stack

page read and write

3254000

trusted library allocation

page read and write

43E3000

trusted library allocation

page read and write

9937000

heap

page read and write

4376000

trusted library allocation

page read and write

432000

remote allocation

page execute and read and write

4400000

trusted library allocation

page read and write

1497000

trusted library allocation

page execute and read and write

9C1A000

trusted library allocation

page read and write

9C30000

heap

page read and write

5685000

trusted library allocation

page read and write

371A000

trusted library allocation

page read and write

51BB000

stack

page read and write

33C8000

trusted library allocation

page read and write

2F3E000

stack

page read and write

1486000

trusted library allocation

page execute and read and write

32B5000

trusted library allocation

page read and write

4428000

trusted library allocation

page read and write

328D000

trusted library allocation

page read and write

8FB0000

trusted library allocation

page read and write

1490000

trusted library allocation

page read and write

6B70000

trusted library allocation

page execute and read and write

33C2000

trusted library allocation

page read and write

1350000

heap

page read and write

9A3C000

heap

page read and write

414B000

trusted library allocation

page read and write

1495000

trusted library allocation

page execute and read and write

9945000

heap

page read and write

6410000

heap

page read and write

442C000

trusted library allocation

page read and write

6E20000

trusted library allocation

page read and write

5646000

trusted library allocation

page read and write

73FC000

stack

page read and write

6570000

trusted library allocation

page read and write

5652000

trusted library allocation

page read and write

5670000

trusted library allocation

page read and write

11E0000

heap

page read and write

6B50000

trusted library allocation

page execute and read and write

A7BE000

stack

page read and write

999F000

heap

page read and write

42C3000

trusted library allocation

page read and write

2EAE000

stack

page read and write

15C0000

trusted library allocation

page read and write

5520000

heap

page read and write

32A9000

trusted library allocation

page read and write

1548000

heap

page read and write

11F0000

heap

page read and write

36EE000

trusted library allocation

page read and write

1610000

heap

page read and write

30A0000

trusted library allocation

page execute and read and write

32A5000

trusted library allocation

page read and write

9984000

heap

page read and write

5680000

trusted library allocation

page read and write

9A24000

heap

page read and write

A8A0000

heap

page read and write

4392000

trusted library allocation

page read and write

1554000

heap

page read and write

1210000

heap

page read and write

4415000

trusted library allocation

page read and write

3081000

trusted library allocation

page execute and read and write

1370000

heap

page read and write

43C2000

trusted library allocation

page read and write

1240000

heap

page read and write

32F7000

trusted library allocation

page read and write

6C55000

trusted library allocation

page read and write

75D5000

trusted library allocation

page read and write

2E10000

heap

page execute and read and write

6D09000

stack

page read and write

2E6E000

stack

page read and write

43EE000

trusted library allocation

page read and write

5712000

trusted library allocation

page read and write

DFA000

stack

page read and write

8FB4000

trusted library allocation

page read and write

996C000

heap

page read and write

1460000

trusted library allocation

page read and write

564D000

trusted library allocation

page read and write

6FE1000

trusted library allocation

page read and write

990B000

heap

page read and write

30B0000

heap

page execute and read and write

4490000

trusted library allocation

page read and write

8EC0000

trusted library allocation

page read and write

98E1000

heap

page read and write

8F1B000

stack

page read and write

644D000

heap

page read and write

1480000

trusted library allocation

page read and write

3286000

trusted library allocation

page read and write

64E9000

heap

page read and write

12D5000

heap

page read and write

158E000

heap

page read and write

43F5000

trusted library allocation

page read and write

4289000

trusted library allocation

page read and write

994E000

heap

page read and write

64B4000

heap

page read and write

A750000

trusted library allocation

page read and write

40C1000

trusted library allocation

page read and write

31A2000

trusted library allocation

page read and write

9927000

heap

page read and write

7030000

trusted library allocation

page execute and read and write

1463000

trusted library allocation

page execute and read and write

99BF000

heap

page read and write

D90000

unkown

page readonly

6510000

trusted library allocation

page execute and read and write

99CC000

heap

page read and write

14C0000

trusted library allocation

page read and write

129B000

heap

page read and write

562B000

trusted library allocation

page read and write

1470000

trusted library allocation

page read and write

2EB0000

heap

page read and write

15CB000

trusted library allocation

page execute and read and write

6E50000

trusted library allocation

page read and write

688E000

stack

page read and write

ABB0000

heap

page read and write

43DC000

trusted library allocation

page read and write

9BF9000

trusted library allocation

page read and write

2FBE000

stack

page read and write

7020000

trusted library allocation

page read and write

A7FE000

stack

page read and write

75D0000

trusted library allocation

page read and write

145F000

stack

page read and write

40E2000

trusted library allocation

page read and write

3298000

trusted library allocation

page read and write

332A000

trusted library allocation

page read and write

6580000

trusted library allocation

page read and write

8FA4000

trusted library allocation

page read and write

4431000

trusted library allocation

page read and write

32C0000

trusted library allocation

page read and write

36FB000

trusted library allocation

page read and write

9962000

heap

page read and write

98F9000

heap

page read and write

40C8000

trusted library allocation

page read and write

1516000

heap

page read and write

655E000

stack

page read and write

125E000

stack

page read and write

12B1000

heap

page read and write

3279000

trusted library allocation

page read and write

6ECE000

stack

page read and write

9955000

heap

page read and write

4082000

trusted library allocation

page read and write

1160000

heap

page read and write

3346000

trusted library allocation

page read and write

443A000

trusted library allocation

page read and write

99AF000

heap

page read and write

6C5A000

trusted library allocation

page read and write

14DB000

heap

page read and write

640F000

stack

page read and write

8EB0000

trusted library allocation

page read and write

90D0000

trusted library allocation

page read and write

6FD0000

trusted library allocation

page read and write

6224000

heap

page read and write

7529000

trusted library allocation

page read and write

8F70000

trusted library allocation

page execute and read and write

131E000

stack

page read and write

6FE6000

trusted library allocation

page read and write

6442000

heap

page read and write

7500000

trusted library allocation

page execute and read and write

324A000

trusted library allocation

page read and write

2FC8000

trusted library allocation

page read and write

40F2000

trusted library allocation

page read and write

445F000

trusted library allocation

page read and write

117B000

stack

page read and write

6C40000

trusted library allocation

page read and write

6560000

trusted library allocation

page read and write

9E90000

trusted library allocation

page read and write

A8B0000

trusted library allocation

page execute and read and write

58A0000

heap

page read and write

44A4000

trusted library allocation

page read and write

5660000

trusted library allocation

page read and write

157A000

heap

page read and write

6236000

heap

page read and write

6E40000

trusted library allocation

page execute and read and write

64C1000

heap

page read and write

15A0000

trusted library allocation

page read and write

6435000

heap

page read and write

1594000

trusted library allocation

page read and write

684F000

stack

page read and write

9912000

heap

page read and write

153C000

heap

page read and write

127E000

heap

page read and write

446000

remote allocation

page execute and read and write

13A0000

heap

page read and write

56CE000

trusted library allocation

page read and write

5690000

trusted library allocation

page read and write

8ED0000

trusted library allocation

page read and write

1600000

trusted library allocation

page read and write

73D16000

unkown

page readonly

43B6000

trusted library allocation

page read and write

1509000

heap

page read and write

9E7E000

stack

page read and write

6480000

heap

page read and write

592E000

stack

page read and write

5510000

trusted library allocation

page read and write

3083000

trusted library allocation

page read and write

4440000

trusted library allocation

page read and write

There are 376 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe