Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

hesaphareketi__20241001.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.720512829688984
Filename:	hesaphareketi__20241001.exe
Filesize:	716800
MD5:	5eaafeca7053687b46ecffad93c82418
SHA1:	457566502545fecd8ea9f2249b755135cd03b69b
SHA256:	27ff307b514230b2363e2284e1d57df50bc8a59b5cf8c732dc32d5587d472c64
SHA512:	2f05d5e83132e75aa92b629c5ea8147be87ab7818a08d847ffbd4d688f86fcf68b50ebbe9796952140f3fcb0b31f1726b51e4a6cb1aada2b2d59da1cd74482e1
SSDEEP:	12288:jeKw3uC2FoKHj3920VH89VuXdJlAVPQTiOR76+yt8j6KGtm2fv6msi:xw/cVHbQ0V1VcPQebbG6IwCK
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>.................0.............:.... ... ....@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Security Software Discovery
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi__20241001.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesaphareketi__20241001.exe.log
Category:	dropped
Dump:	hesaphareketi__20241001.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\hesaphareketi__20241001.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.3.dr
ID:	dr_5
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.380805901110357
Encrypted:	false
Ssdeep:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:lGLHyIFKL3IZ2KRH9Ougss
Size:	2232
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hty4xym.goh.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hty4xym.goh.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_3hty4xym.goh.ps1.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bd1xluqj.ocf.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bd1xluqj.ocf.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_bd1xluqj.ocf.psm1.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krvza5le.p5j.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krvza5le.p5j.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_krvza5le.p5j.ps1.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svqnh3ct.fgw.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svqnh3ct.fgw.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_svqnh3ct.fgw.psm1.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\hesaphareketi__20241001.exe

"C:\Users\user\Desktop\hesaphareketi__20241001.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5732
Target ID:	0
Parent PID:	1028
Name:	hesaphareketi__20241001.exe
Path:	C:\Users\user\Desktop\hesaphareketi__20241001.exe
Commandline:	"C:\Users\user\Desktop\hesaphareketi__20241001.exe"
Size:	716800
MD5:	5EAAFECA7053687B46ECFFAD93C82418
Time:	03:11:13
Date:	03/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xcb0000
Modulesize:	745472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi__20241001.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6204
Target ID:	3
Parent PID:	5732
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hesaphareketi__20241001.exe"
Size:	433152
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Time:	03:11:14
Date:	03/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xf30000
Modulesize:	446464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\hesaphareketi__20241001.exe

"C:\Users\user\Desktop\hesaphareketi__20241001.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2360
Target ID:	5
Parent PID:	5732
Name:	hesaphareketi__20241001.exe
Path:	C:\Users\user\Desktop\hesaphareketi__20241001.exe
Commandline:	"C:\Users\user\Desktop\hesaphareketi__20241001.exe"
Size:	716800
MD5:	5EAAFECA7053687B46ECFFAD93C82418
Time:	03:11:14
Date:	03/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x990000
Modulesize:	745472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2924
Target ID:	4
Parent PID:	6204
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:11:14
Date:	03/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wbem\WmiPrvSE.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2636
Target ID:	6
Parent PID:	752
Name:	WmiPrvSE.exe
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Size:	496640
MD5:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Time:	03:11:18
Date:	03/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	true
Modulebase:	0x7ff6ef0c0000
Modulesize:	516096
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://ftp.normagroup.com.tr

unknown

Details

Name:	http://ftp.normagroup.com.tr
TargetID:	5
From Memory:	true
Current Path:	C:\Users\user\Desktop\hesaphareketi__20241001.exe
Source:	hesaphareketi__20241001.exe, 00000005.00000002.4610095898.0000000003014000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi__20241001.exe, 00000005.00000002.4610095898.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi__20241001.exe, 00000005.00000002.4610095898.0000000002E47000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\hesaphareketi__20241001.exe
Source:	hesaphareketi__20241001.exe, 00000000.00000002.2149976039.00000000048DA000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi__20241001.exe, 00000005.00000002.4608159738.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\hesaphareketi__20241001.exe
Source:	hesaphareketi__20241001.exe, 00000000.00000002.2149506599.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, hesaphareketi__20241001.exe, 00000005.00000002.4610095898.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

ftp.normagroup.com.tr

104.247.165.99

Details

Name:	ftp.normagroup.com.tr
IP:	104.247.165.99
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

104.247.165.99

ftp.normagroup.com.tr

United States

Details

IP:	104.247.165.99
TargetID:	5
Current Path:	C:\Users\user\Desktop\hesaphareketi__20241001.exe
Country:	United States
Countrycode:	USA
ASN number:	8100
ASN name:	ASN-QUADRANET-GLOBALUS
Private:	false
Domain:	ftp.normagroup.com.tr

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hesaphareketi__20241001_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

48DA000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

8B1C000

heap

page read and write

51D0000

trusted library allocation

page read and write

51DE000

trusted library allocation

page read and write

68BC000

stack

page read and write

6AB0000

heap

page read and write

6670000

heap

page read and write

A9A6000

trusted library allocation

page read and write

1556000

trusted library allocation

page execute and read and write

5ECE000

stack

page read and write

6ABE000

heap

page read and write

2AC3000

trusted library allocation

page execute and read and write

55C2000

trusted library allocation

page read and write

2AE2000

trusted library allocation

page read and write

5BB0000

trusted library allocation

page read and write

6260000

trusted library allocation

page execute and read and write

79E1000

heap

page read and write

636E000

stack

page read and write

D80D000

stack

page read and write

628D000

trusted library allocation

page read and write

615C000

stack

page read and write

10EB000

heap

page read and write

A9BF000

trusted library allocation

page read and write

F30000

heap

page read and write

50BC000

stack

page read and write

1550000

trusted library allocation

page read and write

2AE0000

trusted library allocation

page read and write

7BBE000

stack

page read and write

3EB7000

trusted library allocation

page read and write

5304000

heap

page read and write

5FFB000

stack

page read and write

F60000

heap

page read and write

B247000

trusted library allocation

page read and write

2AEA000

trusted library allocation

page execute and read and write

1540000

trusted library allocation

page read and write

5B2E000

stack

page read and write

A9CE000

trusted library allocation

page read and write

5890000

trusted library allocation

page read and write

B26F000

trusted library allocation

page read and write

63A4000

heap

page read and write

55C5000

trusted library allocation

page read and write

6250000

trusted library allocation

page read and write

10AC000

stack

page read and write

1552000

trusted library allocation

page read and write

F20000

heap

page read and write

55B0000

heap

page read and write

3014000

trusted library allocation

page read and write

1420000

trusted library allocation

page read and write

2D71000

trusted library allocation

page read and write

51DB000

trusted library allocation

page read and write

139E000

stack

page read and write

7650000

heap

page read and write

51F1000

trusted library allocation

page read and write

CB0000

unkown

page readonly

8B00000

heap

page read and write

623C000

trusted library allocation

page read and write

B1B5000

trusted library allocation

page read and write

B265000

trusted library allocation

page read and write

13DE000

stack

page read and write

B233000

trusted library allocation

page read and write

3081000

trusted library allocation

page read and write

1438000

heap

page read and write

11A1F000

trusted library allocation

page read and write

2C60000

heap

page read and write

3F77000

trusted library allocation

page read and write

5280000

heap

page execute and read and write

5540000

trusted library allocation

page read and write

7DBF000

stack

page read and write

11A16000

trusted library allocation

page read and write

638E000

stack

page read and write

5500000

trusted library allocation

page read and write

A9D3000

trusted library allocation

page read and write

A99F000

trusted library allocation

page read and write

11A19000

trusted library allocation

page read and write

B251000

trusted library allocation

page read and write

55D0000

trusted library allocation

page execute and read and write

69FD000

stack

page read and write

D9CE000

stack

page read and write

1560000

trusted library allocation

page read and write

564C000

stack

page read and write

DACE000

stack

page read and write

307F000

stack

page read and write

5550000

trusted library allocation

page read and write

3E57000

trusted library allocation

page read and write

59ED000

stack

page read and write

F14A000

heap

page read and write

3D71000

trusted library allocation

page read and write

527C000

stack

page read and write

A710000

trusted library section

page read and write

2AF7000

trusted library allocation

page execute and read and write

57EE000

stack

page read and write

5220000

trusted library allocation

page read and write

7A20000

trusted library allocation

page read and write

6AB7000

heap

page read and write

B25B000

trusted library allocation

page read and write

3DD6000

trusted library allocation

page read and write

5E80000

heap

page read and write

F119000

trusted library allocation

page read and write

79D0000

heap

page read and write

3E37000

trusted library allocation

page read and write

79C0000

heap

page read and write

3ED7000

trusted library allocation

page read and write

4081000

trusted library allocation

page read and write

5310000

heap

page read and write

15E0000

trusted library allocation

page read and write

76A7000

heap

page read and write

5570000

trusted library allocation

page read and write

7FFE000

stack

page read and write

E40000

heap

page read and write

153D000

trusted library allocation

page execute and read and write

F67000

heap

page read and write

3E97000

trusted library allocation

page read and write

3DF7000

trusted library allocation

page read and write

171E000

stack

page read and write

F25000

heap

page read and write

551E000

trusted library allocation

page read and write

15F0000

heap

page read and write

1618000

heap

page read and write

DB0D000

stack

page read and write

5710000

trusted library section

page readonly

2B68000

trusted library allocation

page read and write

A9F1000

trusted library allocation

page read and write

1133000

heap

page read and write

3F37000

trusted library allocation

page read and write

51F6000

trusted library allocation

page read and write

1600000

trusted library allocation

page read and write

15CE000

stack

page read and write

10C0000

heap

page read and write

5214000

trusted library allocation

page read and write

A9C4000

trusted library allocation

page read and write

6240000

trusted library allocation

page read and write

1534000

trusted library allocation

page read and write

1250000

heap

page read and write

2F70000

heap

page execute and read and write

10DF000

heap

page read and write

3FD7000

trusted library allocation

page read and write

67BC000

stack

page read and write

6100000

trusted library allocation

page read and write

5AEF000

stack

page read and write

2C50000

trusted library allocation

page execute and read and write

2ACD000

trusted library allocation

page execute and read and write

155A000

trusted library allocation

page execute and read and write

1240000

heap

page read and write

778E000

stack

page read and write

2B5E000

stack

page read and write

1580000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

1543000

trusted library allocation

page read and write

51C0000

trusted library allocation

page read and write

DC0E000

stack

page read and write

69BE000

stack

page read and write

5720000

heap

page read and write

B238000

trusted library allocation

page read and write

3FB7000

trusted library allocation

page read and write

6390000

heap

page read and write

A9F6000

trusted library allocation

page read and write

3E17000

trusted library allocation

page read and write

A9B5000

trusted library allocation

page read and write

574F000

stack

page read and write

4E6D000

stack

page read and write

1473000

heap

page read and write

CB2000

unkown

page readonly

6248000

trusted library allocation

page read and write

F11E000

trusted library allocation

page read and write

10F6000

heap

page read and write

5897000

trusted library allocation

page read and write

A9BA000

trusted library allocation

page read and write

F116000

trusted library allocation

page read and write

A9AB000

trusted library allocation

page read and write

143E000

heap

page read and write

634D000

stack

page read and write

2AF5000

trusted library allocation

page execute and read and write

5603000

heap

page read and write

10F8000

heap

page read and write

51E2000

trusted library allocation

page read and write

2AD0000

trusted library allocation

page read and write

78EE000

stack

page read and write

2C3C000

stack

page read and write

552D000

trusted library allocation

page read and write

3F97000

trusted library allocation

page read and write

1562000

trusted library allocation

page read and write

6380000

heap

page read and write

14A4000

heap

page read and write

57AE000

stack

page read and write

A9E7000

trusted library allocation

page read and write

5600000

heap

page read and write

5210000

trusted library allocation

page read and write

10C8000

heap

page read and write

65FE000

stack

page read and write

8600000

trusted library allocation

page read and write

55E0000

trusted library allocation

page read and write

95D9000

trusted library allocation

page read and write

DE7C000

stack

page read and write

5730000

heap

page read and write

2AF0000

trusted library allocation

page read and write

13E0000

heap

page read and write

1160000

heap

page read and write

A9C9000

trusted library allocation

page read and write

1148000

heap

page read and write

5521000

trusted library allocation

page read and write

B24C000

trusted library allocation

page read and write

7A4A000

trusted library allocation

page read and write

2B10000

trusted library allocation

page read and write

BD9000

stack

page read and write

129E000

stack

page read and write

8B4E000

heap

page read and write

2F60000

trusted library allocation

page read and write

55C0000

trusted library allocation

page read and write

B260000

trusted library allocation

page read and write

DF9000

stack

page read and write

5760000

heap

page read and write

D62000

unkown

page readonly

1466000

heap

page read and write

79EF000

stack

page read and write

11B2000

heap

page read and write

2DC0000

trusted library allocation

page read and write

51BC000

stack

page read and write

626E000

stack

page read and write

7470000

heap

page read and write

95DE000

trusted library allocation

page read and write

B26A000

trusted library allocation

page read and write

10F7000

stack

page read and write

663E000

stack

page read and write

788E000

stack

page read and write

2AE6000

trusted library allocation

page execute and read and write

308A000

trusted library allocation

page read and write

2AB0000

trusted library allocation

page read and write

B224000

trusted library allocation

page read and write

1139000

heap

page read and write

5545000

trusted library allocation

page read and write

578C000

stack

page read and write

1610000

heap

page read and write

B21A000

trusted library allocation

page read and write

4089000

trusted library allocation

page read and write

1533000

trusted library allocation

page execute and read and write

11FC000

stack

page read and write

7A40000

trusted library allocation

page read and write

2D6E000

stack

page read and write

3EF7000

trusted library allocation

page read and write

1430000

heap

page read and write

5725000

heap

page read and write

5300000

heap

page read and write

A9DD000

trusted library allocation

page read and write

6270000

trusted library allocation

page execute and read and write

A9D8000

trusted library allocation

page read and write

56FB000

stack

page read and write

15D0000

trusted library allocation

page execute and read and write

57F0000

heap

page execute and read and write

3F57000

trusted library allocation

page read and write

5700000

trusted library allocation

page read and write

154D000

trusted library allocation

page execute and read and write

75F0000

trusted library allocation

page read and write

2EC8000

trusted library allocation

page read and write

5504000

trusted library allocation

page read and write

52EE000

stack

page read and write

32CD000

trusted library allocation

page read and write

7F130000

trusted library allocation

page execute and read and write

60FD000

stack

page read and write

2E45000

trusted library allocation

page read and write

677C000

stack

page read and write

B242000

trusted library allocation

page read and write

A9B0000

trusted library allocation

page read and write

7570000

trusted library allocation

page execute and read and write

2E47000

trusted library allocation

page read and write

DD7B000

stack

page read and write

588E000

stack

page read and write

1207000

heap

page read and write

7890000

trusted library section

page read and write

2ADD000

trusted library allocation

page execute and read and write

5740000

heap

page read and write

A9E2000

trusted library allocation

page read and write

5532000

trusted library allocation

page read and write

6200000

heap

page read and write

F140000

heap

page read and write

6370000

heap

page read and write

6170000

trusted library allocation

page read and write

156B000

trusted library allocation

page execute and read and write

B229000

trusted library allocation

page read and write

130E000

stack

page read and write

2C40000

heap

page execute and read and write

62B0000

trusted library allocation

page read and write

55C7000

trusted library allocation

page read and write

2AFB000

trusted library allocation

page execute and read and write

2AF2000

trusted library allocation

page read and write

312B000

trusted library allocation

page read and write

A9EC000

trusted library allocation

page read and write

1530000

trusted library allocation

page read and write

1200000

heap

page read and write

6AC0000

trusted library allocation

page read and write

3E77000

trusted library allocation

page read and write

95D6000

trusted library allocation

page read and write

51EE000

trusted library allocation

page read and write

7A30000

trusted library allocation

page execute and read and write

6230000

trusted library allocation

page read and write

D7CD000

stack

page read and write

2AC4000

trusted library allocation

page read and write

3D99000

trusted library allocation

page read and write

B22E000

trusted library allocation

page read and write

B23D000

trusted library allocation

page read and write

B21F000

trusted library allocation

page read and write

150D000

heap

page read and write

65BC000

stack

page read and write

B256000

trusted library allocation

page read and write

3F17000

trusted library allocation

page read and write

80FE000

stack

page read and write

6160000

heap

page read and write

5FB0000

trusted library allocation

page read and write

51FD000

trusted library allocation

page read and write

FAC000

stack

page read and write

ADA000

stack

page read and write

51B0000

trusted library allocation

page read and write

1567000

trusted library allocation

page execute and read and write

7640000

trusted library allocation

page read and write

5526000

trusted library allocation

page read and write

7B72000

trusted library allocation

page read and write

6570000

trusted library allocation

page execute and read and write

6280000

trusted library allocation

page read and write

5750000

trusted library allocation

page execute and read and write

A9A1000

trusted library allocation

page read and write

2AC0000

trusted library allocation

page read and write

31AA000

trusted library allocation

page read and write

There are 312 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
hesaphareketi__20241001.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthesaphareketi__20241001.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
hesaphareketi__20241001.exe