Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

wd33g7Jan8.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.612358790924692
Filename:	wd33g7Jan8.exe
Filesize:	32256
MD5:	4225674c595b9ebd56b40e02b56fa4bc
SHA1:	2d61675ed36658d37795ea2572b31df6b75c53c4
SHA256:	2455874f6a28b18906b92b5ebfbc233062cc1c1cd50b2519640c3baa2ffca7f6
SHA512:	777ac78dbba50f1735c53b744645766966490a59c69763c9607961881f18052a00bface987ce9f69a747d2d2e9f2ea56b48f68e36ce43d13e291753598c679a6
SSDEEP:	768:ZlB4IZBDTuzxZ+KKczDNpHvhR/QmIDUu0tiLUj:6c6lhjQVkRj
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................v..........>.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior	Access Token Manipulation
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation

C:\ProgramData\WindowsServices.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\ProgramData\WindowsServices.exe
Category:	dropped
Dump:	WindowsServices.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\wd33g7Jan8.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.612358790924692
Encrypted:	false
Ssdeep:	768:ZlB4IZBDTuzxZ+KKczDNpHvhR/QmIDUu0tiLUj:6c6lhjQVkRj
Size:	32256
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Creates autostart registry keys with suspicious names	Boot Survival	Registry Run Keys / Startup Folder
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Drops PE files to the startup folder	Boot Survival	Registry Run Keys / Startup Folder
Machine Learning detection for dropped file	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Protects its processes via BreakOnTermination flag	Operating System Destruction
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery Windows Management Instrumentation
Contains functionality to call native functions	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\wd33g7Jan8.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\wd33g7Jan8.exe.log
Category:	dropped
Dump:	wd33g7Jan8.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\wd33g7Jan8.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.259753436570609
Encrypted:	false
Ssdeep:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
Size:	525
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a242e02f9e01cc69f94bf51247fa2cb.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a242e02f9e01cc69f94bf51247fa2cb.exe
Category:	dropped
Dump:	3a242e02f9e01cc69f94bf51247fa2cb.exe.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\ProgramData\WindowsServices.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.612358790924692
Encrypted:	false
Ssdeep:	768:ZlB4IZBDTuzxZ+KKczDNpHvhR/QmIDUu0tiLUj:6c6lhjQVkRj
Size:	32256
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Drops PE files to the startup folder	Boot Survival	Registry Run Keys / Startup Folder
Machine Learning detection for dropped file	AV Detection
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Drops PE files	Persistence and Installation Behavior
Sigma detected: Startup Folder File Write	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsServices.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsServices.exe.log
Category:	dropped
Dump:	WindowsServices.exe.log.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\ProgramData\WindowsServices.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.259753436570609
Encrypted:	false
Ssdeep:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
Size:	525
Whitelisted:	false
Reputation:	moderate

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.971939296804078
Encrypted:	false
Ssdeep:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
Size:	313
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\wd33g7Jan8.exe

"C:\Users\user\Desktop\wd33g7Jan8.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7384
Target ID:	0
Parent PID:	2580
Name:	wd33g7Jan8.exe
Path:	C:\Users\user\Desktop\wd33g7Jan8.exe
Commandline:	"C:\Users\user\Desktop\wd33g7Jan8.exe"
Size:	32256
MD5:	4225674C595B9EBD56B40E02B56FA4BC
Time:	03:21:59
Date:	27/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x840000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\ProgramData\WindowsServices.exe

"C:\ProgramData\WindowsServices.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7484
Target ID:	1
Parent PID:	7384
Name:	WindowsServices.exe
Path:	C:\ProgramData\WindowsServices.exe
Commandline:	"C:\ProgramData\WindowsServices.exe"
Size:	32256
MD5:	4225674C595B9EBD56B40E02B56FA4BC
Time:	03:22:05
Date:	27/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xad0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\ProgramData\WindowsServices.exe" "WindowsServices.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	7568
Target ID:	2
Parent PID:	7484
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\ProgramData\WindowsServices.exe" "WindowsServices.exe" ENABLE
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	03:22:12
Date:	27/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1560000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\ProgramData\WindowsServices.exe

"C:\ProgramData\WindowsServices.exe" ..

Details

Is windows:	false
Is dropped:	true
PID:	7940
Target ID:	7
Parent PID:	2580
Name:	WindowsServices.exe
Path:	C:\ProgramData\WindowsServices.exe
Commandline:	"C:\ProgramData\WindowsServices.exe" ..
Size:	32256
MD5:	4225674C595B9EBD56B40E02B56FA4BC
Time:	03:22:22
Date:	27/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xa70000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

C:\ProgramData\WindowsServices.exe

"C:\ProgramData\WindowsServices.exe" ..

Details

Is windows:	false
Is dropped:	true
PID:	8024
Target ID:	8
Parent PID:	2580
Name:	WindowsServices.exe
Path:	C:\ProgramData\WindowsServices.exe
Commandline:	"C:\ProgramData\WindowsServices.exe" ..
Size:	32256
MD5:	4225674C595B9EBD56B40E02B56FA4BC
Time:	03:22:30
Date:	27/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xd90000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

C:\ProgramData\WindowsServices.exe

"C:\ProgramData\WindowsServices.exe" ..

Details

Is windows:	false
Is dropped:	true
PID:	8088
Target ID:	9
Parent PID:	2580
Name:	WindowsServices.exe
Path:	C:\ProgramData\WindowsServices.exe
Commandline:	"C:\ProgramData\WindowsServices.exe" ..
Size:	32256
MD5:	4225674C595B9EBD56B40E02B56FA4BC
Time:	03:22:38
Date:	27/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x30000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7576
Target ID:	3
Parent PID:	7568
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:22:12
Date:	27/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

45.152.161.204

unknown

Germany

Details

IP:	45.152.161.204
TargetID:	1
Current Path:	C:\ProgramData\WindowsServices.exe
Country:	Germany
Countrycode:	DEU
ASN number:	207907
ASN name:	THADDEUS_NGGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Details

TargetID:	0
Path:	HKEY_CURRENT_USER
Value name:	di
Value data:	!

Signature Hits	Behavior Group	Mitre Attack
Creates autostart registry keys with suspicious names	Boot Survival	Registry Run Keys / Startup Folder
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Reads software policies	System Summary	System Information Discovery

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

3a242e02f9e01cc69f94bf51247fa2cb

Details

TargetID:	1
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	3a242e02f9e01cc69f94bf51247fa2cb
Value data:	"C:\ProgramData\WindowsServices.exe" ..

Signature Hits	Behavior Group	Mitre Attack
Creates autostart registry keys with suspicious names	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run

3a242e02f9e01cc69f94bf51247fa2cb

Details

TargetID:	1
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Value name:	3a242e02f9e01cc69f94bf51247fa2cb
Value data:	"C:\ProgramData\WindowsServices.exe" ..

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_CURRENT_USER\SOFTWARE\3a242e02f9e01cc69f94bf51247fa2cb

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

842000

unkown

page readonly

2E31000

trusted library allocation

page read and write

30B1000

trusted library allocation

page read and write

127E000

stack

page read and write

5240000

trusted library allocation

page read and write

5A3B000

heap

page read and write

1680000

trusted library allocation

page read and write

1049000

heap

page read and write

1312000

trusted library allocation

page read and write

14BE000

heap

page read and write

1010000

trusted library allocation

page read and write

528E000

stack

page read and write

14D0000

heap

page read and write

14DA000

heap

page read and write

5A34000

heap

page read and write

14DD000

heap

page read and write

1524000

heap

page read and write

5320000

heap

page read and write

1139000

stack

page read and write

47F0000

trusted library allocation

page execute and read and write

E2E000

heap

page read and write

12F0000

trusted library allocation

page read and write

5A35000

heap

page read and write

584E000

stack

page read and write

53EC000

stack

page read and write

147B000

heap

page read and write

149A000

heap

page read and write

1160000

trusted library allocation

page read and write

1486000

heap

page read and write

149A000

heap

page read and write

43C4000

trusted library allocation

page read and write

1451000

heap

page read and write

152A000

heap

page read and write

14D7000

heap

page read and write

1458000

heap

page read and write

BF0000

heap

page read and write

5560000

trusted library allocation

page read and write

1489000

heap

page read and write

524E000

stack

page read and write

159E000

stack

page read and write

2B67000

trusted library allocation

page execute and read and write

1520000

heap

page read and write

147F000

heap

page read and write

8DB000

stack

page read and write

14C9000

heap

page read and write

18B0000

heap

page execute and read and write

14D0000

heap

page read and write

536C000

stack

page read and write

14BF000

heap

page read and write

149A000

heap

page read and write

524E000

stack

page read and write

48F0000

heap

page read and write

AD0000

heap

page read and write

6D9000

heap

page read and write

5A35000

heap

page read and write

1482000

heap

page read and write

14DE000

heap

page read and write

1197000

trusted library allocation

page execute and read and write

9D6000

stack

page read and write

14CD000

heap

page read and write

1486000

heap

page read and write

B6A000

stack

page read and write

5B0B000

stack

page read and write

2CAE000

stack

page read and write

4800000

trusted library allocation

page read and write

622000

trusted library allocation

page execute and read and write

14C3000

heap

page read and write

620000

trusted library allocation

page read and write

14D5000

heap

page read and write

1340000

heap

page execute and read and write

14CB000

heap

page read and write

14DE000

heap

page read and write

14D4000

heap

page read and write

1467000

heap

page read and write

D70000

heap

page read and write

B70000

heap

page read and write

1760000

heap

page read and write

385D000

stack

page read and write

12DA000

trusted library allocation

page execute and read and write

EF6000

stack

page read and write

6A4000

heap

page read and write

1672000

trusted library allocation

page execute and read and write

E8C000

heap

page read and write

1520000

heap

page read and write

3E34000

trusted library allocation

page read and write

600000

trusted library allocation

page read and write

147A000

heap

page read and write

14BE000

heap

page read and write

1507000

heap

page read and write

1660000

trusted library allocation

page read and write

EFB000

stack

page read and write

86F000

stack

page read and write

DBD000

stack

page read and write

1170000

heap

page read and write

15C0000

heap

page read and write

560E000

stack

page read and write

14DD000

heap

page read and write

5020000

trusted library allocation

page read and write

564E000

stack

page read and write

152C000

heap

page read and write

FA0000

heap

page read and write

147B000

heap

page read and write

E20000

heap

page read and write

14BD000

heap

page read and write

1180000

heap

page read and write

B80000

heap

page read and write

12C0000

trusted library allocation

page read and write

12B0000

heap

page read and write

8AE000

stack

page read and write

14CB000

heap

page read and write

168C000

trusted library allocation

page execute and read and write

1030000

trusted library allocation

page read and write

1441000

heap

page read and write

FF3000

stack

page read and write

14DE000

heap

page read and write

5930000

heap

page read and write

12A2000

trusted library allocation

page execute and read and write

15B0000

trusted library allocation

page read and write

103C000

trusted library allocation

page execute and read and write

642000

trusted library allocation

page execute and read and write

1507000

heap

page read and write

1424000

heap

page read and write

59FE000

stack

page read and write

13EF000

stack

page read and write

52C0000

heap

page read and write

13BE000

unkown

page read and write

14D2000

heap

page read and write

14A4000

heap

page read and write

1190000

heap

page read and write

1240000

heap

page execute and read and write

1375000

heap

page read and write

14D5000

heap

page read and write

62C000

trusted library allocation

page execute and read and write

2BAE000

stack

page read and write

1079000

heap

page read and write

14BF000

heap

page read and write

1166000

trusted library allocation

page execute and read and write

36C4000

trusted library allocation

page read and write

14CB000

heap

page read and write

152B000

heap

page read and write

1475000

heap

page read and write

152C000

heap

page read and write

12B0000

heap

page read and write

53D0000

heap

page read and write

5010000

trusted library allocation

page execute and read and write

1489000

heap

page read and write

14C8000

heap

page read and write

140F000

heap

page read and write

5890000

trusted library allocation

page execute and read and write

1270000

heap

page read and write

1486000

heap

page read and write

14BE000

heap

page read and write

61A000

trusted library allocation

page execute and read and write

4C7E000

stack

page read and write

1520000

heap

page read and write

14A4000

heap

page read and write

58FE000

stack

page read and write

14A4000

heap

page read and write

14D1000

heap

page read and write

536E000

stack

page read and write

36C1000

trusted library allocation

page read and write

5A46000

heap

page read and write

430000

heap

page read and write

152E000

stack

page read and write

5ED0000

trusted library allocation

page execute and read and write

4D5000

heap

page read and write

14C0000

heap

page read and write

1484000

heap

page read and write

1476000

heap

page read and write

5910000

heap

page read and write

570E000

stack

page read and write

14D0000

heap

page read and write

14DA000

heap

page read and write

1451000

heap

page read and write

FFE000

stack

page read and write

2B60000

trusted library allocation

page read and write

149D000

heap

page read and write

14D2000

heap

page read and write

1488000

heap

page read and write

5200000

heap

page read and write

1501000

heap

page read and write

1444000

heap

page read and write

12AE000

stack

page read and write

14DD000

heap

page read and write

1507000

heap

page read and write

14C8000

heap

page read and write

120E000

stack

page read and write

12E0000

trusted library allocation

page read and write

1451000

heap

page read and write

FDF000

heap

page read and write

5910000

heap

page read and write

1520000

heap

page read and write

105D000

heap

page read and write

14D1000

heap

page read and write

47E0000

trusted library allocation

page read and write

13F8000

heap

page read and write

1A50000

trusted library allocation

page execute and read and write

5A31000

heap

page read and write

103B000

stack

page read and write

14D9000

heap

page read and write

657000

trusted library allocation

page execute and read and write

100E000

stack

page read and write

1142000

trusted library allocation

page execute and read and write

12B0000

heap

page read and write

152C000

heap

page read and write

1486000

heap

page read and write

47C0000

heap

page read and write

BB5000

heap

page read and write

5AEF000

stack

page read and write

14BE000

heap

page read and write

C40000

heap

page read and write

15C6000

heap

page read and write

55CF000

stack

page read and write

11B0000

heap

page read and write

1036000

trusted library allocation

page execute and read and write

48AE000

stack

page read and write

51DF000

stack

page read and write

1136000

stack

page read and write

548E000

stack

page read and write

13BF000

stack

page read and write

12E2000

trusted library allocation

page execute and read and write

3880000

heap

page read and write

12E0000

heap

page read and write

12EA000

trusted library allocation

page execute and read and write

14D9000

heap

page read and write

EF6000

stack

page read and write

5A45000

heap

page read and write

147D000

heap

page read and write

14C8000

heap

page read and write

116C000

trusted library allocation

page execute and read and write

BE0000

heap

page read and write

555E000

stack

page read and write

1040000

heap

page read and write

14C3000

heap

page read and write

1630000

heap

page read and write

54A0000

unclassified section

page read and write

D30000

heap

page read and write

16B7000

trusted library allocation

page execute and read and write

670000

heap

page read and write

14CF000

heap

page read and write

568E000

stack

page read and write

101E000

stack

page read and write

5A31000

heap

page read and write

5A45000

heap

page read and write

367E000

unkown

page read and write

5A32000

heap

page read and write

4D0000

heap

page read and write

55DE000

stack

page read and write

149B000

heap

page read and write

16BB000

trusted library allocation

page execute and read and write

1484000

heap

page read and write

14DE000

heap

page read and write

54CE000

stack

page read and write

43C1000

trusted library allocation

page read and write

E28000

heap

page read and write

4004000

trusted library allocation

page read and write

1486000

heap

page read and write

1682000

trusted library allocation

page execute and read and write

14BE000

heap

page read and write

B0B000

stack

page read and write

16FE000

stack

page read and write

EAA000

heap

page read and write

4B3E000

stack

page read and write

1507000

heap

page read and write

47E4000

trusted library allocation

page read and write

116A000

trusted library allocation

page execute and read and write

59EE000

stack

page read and write

65B000

trusted library allocation

page execute and read and write

1022000

trusted library allocation

page execute and read and write

16B0000

trusted library allocation

page read and write

174E000

stack

page read and write

1032000

trusted library allocation

page execute and read and write

1350000

heap

page read and write

68D000

heap

page read and write

13F0000

heap

page read and write

14BD000

heap

page read and write

12D2000

trusted library allocation

page execute and read and write

1527000

heap

page read and write

14D6000

heap

page read and write

1A60000

heap

page read and write

49FF000

stack

page read and write

1520000

heap

page read and write

33C1000

trusted library allocation

page read and write

5940000

heap

page read and write

BB0000

heap

page read and write

1230000

trusted library allocation

page read and write

1317000

trusted library allocation

page execute and read and write

162F000

stack

page read and write

5A47000

heap

page read and write

626000

trusted library allocation

page execute and read and write

5310000

trusted library allocation

page execute and read and write

1529000

heap

page read and write

143B000

heap

page read and write

4C3E000

stack

page read and write

14E1000

heap

page read and write

119B000

trusted library allocation

page execute and read and write

14D5000

heap

page read and write

51E0000

heap

page read and write

14DE000

heap

page read and write

2AEE000

stack

page read and write

BE0000

heap

page read and write

2B6B000

trusted library allocation

page execute and read and write

108E000

heap

page read and write

3886000

heap

page read and write

5323000

heap

page read and write

1523000

heap

page read and write

14E2000

heap

page read and write

4CE000

stack

page read and write

1870000

heap

page read and write

16A2000

trusted library allocation

page execute and read and write

149C000

heap

page read and write

532E000

stack

page read and write

9DE000

stack

page read and write

1507000

heap

page read and write

1507000

heap

page read and write

14D0000

heap

page read and write

590F000

stack

page read and write

FAE000

heap

page read and write

26C1000

trusted library allocation

page read and write

BA5000

heap

page read and write

840000

unkown

page readonly

12F7000

trusted library allocation

page execute and read and write

149E000

stack

page read and write

574E000

stack

page read and write

1150000

heap

page read and write

12E5000

heap

page read and write

54DF000

stack

page read and write

40B1000

trusted library allocation

page read and write

1475000

heap

page read and write

5220000

trusted library allocation

page read and write

4001000

trusted library allocation

page read and write

1182000

trusted library allocation

page execute and read and write

500E000

stack

page read and write

1524000

heap

page read and write

1047000

heap

page read and write

560E000

stack

page read and write

FEE000

stack

page read and write

E49000

heap

page read and write

534E000

stack

page read and write

1484000

heap

page read and write

14D0000

heap

page read and write

3336000

trusted library allocation

page read and write

5A48000

heap

page read and write

CB000

stack

page read and write

167A000

trusted library allocation

page execute and read and write

1507000

heap

page read and write

5A32000

heap

page read and write

114A000

trusted library allocation

page execute and read and write

1C6000

stack

page read and write

102A000

trusted library allocation

page execute and read and write

D75000

heap

page read and write

14D4000

heap

page read and write

8D0000

heap

page read and write

480000

heap

page read and write

FFB000

stack

page read and write

1260000

heap

page read and write

1130000

trusted library allocation

page read and write

14CB000

heap

page read and write

FA8000

heap

page read and write

53AA000

stack

page read and write

5E0000

heap

page read and write

538E000

stack

page read and write

14BE000

heap

page read and write

11C0000

heap

page read and write

12FA000

trusted library allocation

page execute and read and write

5290000

trusted library allocation

page execute and read and write

237F000

stack

page read and write

149C000

heap

page read and write

4AFE000

stack

page read and write

4D7E000

stack

page read and write

1302000

trusted library allocation

page execute and read and write

3001000

trusted library allocation

page read and write

ABE000

stack

page read and write

1464000

heap

page read and write

588C000

stack

page read and write

EF9000

stack

page read and write

149A000

heap

page read and write

5A34000

heap

page read and write

14CB000

heap

page read and write

1521000

heap

page read and write

1350000

heap

page read and write

512E000

stack

page read and write

130A000

trusted library allocation

page execute and read and write

123F000

stack

page read and write

14BE000

heap

page read and write

7F6C0000

trusted library allocation

page execute and read and write

18A0000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

1370000

heap

page read and write

5A10000

heap

page read and write

56DE000

stack

page read and write

BA0000

heap

page read and write

1520000

heap

page read and write

149C000

heap

page read and write

1686000

trusted library allocation

page execute and read and write

13FE000

stack

page read and write

1190000

trusted library allocation

page read and write

E5F000

heap

page read and write

F3E000

stack

page read and write

14C3000

heap

page read and write

D20000

heap

page read and write

186E000

stack

page read and write

145E000

stack

page read and write

149B000

heap

page read and write

660000

heap

page execute and read and write

48EE000

stack

page read and write

5429000

stack

page read and write

1430000

heap

page read and write

5230000

trusted library allocation

page execute and read and write

152E000

heap

page read and write

1520000

heap

page read and write

E00000

heap

page read and write

14D1000

heap

page read and write

149C000

heap

page read and write

377E000

stack

page read and write

52ED000

stack

page read and write

56F0000

heap

page read and write

598C000

stack

page read and write

57FE000

stack

page read and write

131B000

trusted library allocation

page execute and read and write

1487000

heap

page read and write

14BE000

heap

page read and write

1528000

heap

page read and write

1521000

heap

page read and write

5C0C000

stack

page read and write

14CC000

heap

page read and write

50B8000

trusted library allocation

page read and write

1340000

heap

page read and write

BF0000

heap

page read and write

1162000

trusted library allocation

page execute and read and write

3E31000

trusted library allocation

page read and write

14BD000

heap

page read and write

152B000

heap

page read and write

1C9000

stack

page read and write

1507000

heap

page read and write

18A4000

trusted library allocation

page read and write

14D2000

heap

page read and write

1540000

heap

page read and write

4F0E000

stack

page read and write

47BF000

stack

page read and write

111E000

stack

page read and write

1290000

heap

page execute and read and write

677000

heap

page read and write

14DC000

heap

page read and write

DFE000

stack

page read and write

52A0000

trusted library allocation

page read and write

1310000

trusted library allocation

page read and write

612000

trusted library allocation

page execute and read and write

518C000

stack

page read and write

50DE000

stack

page read and write

1520000

heap

page read and write

47E000

stack

page read and write

There are 442 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
wd33g7Jan8.exe

Files

Processes

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportwd33g7Jan8.exe

Files

Processes

IPs

Registry

Memdumps

IOC Report
wd33g7Jan8.exe