Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"

Details

Is windows:	true
Is dropped:	false
PID:	6228
Target ID:	0
Parent PID:	4520
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Size:	3242272
MD5:	83395EAB5B03DEA9720F8D7AC0D15CAA
Time:	11:40:42
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d6f10000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1988,i,15395324966863303034,10377143304438437007,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	6452
Target ID:	1
Parent PID:	6228
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1988,i,15395324966863303034,10377143304438437007,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	83395EAB5B03DEA9720F8D7AC0D15CAA
Time:	11:40:42
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d6f10000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://finalstepgo.com/uploads/il2.txt"

Details

Is windows:	true
Is dropped:	false
PID:	7124
Target ID:	3
Parent PID:	4520
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://finalstepgo.com/uploads/il2.txt"
Size:	3242272
MD5:	83395EAB5B03DEA9720F8D7AC0D15CAA
Time:	11:40:44
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d6f10000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\Temp1_il222.zip\PrivacyDrive.exe

"C:\Users\user\AppData\Local\Temp\Temp1_il222.zip\PrivacyDrive.exe"

Details

Is windows:	true
Is dropped:	false
PID:	364
Target ID:	19
Parent PID:	4552
Name:	PrivacyDrive.exe
Path:	C:\Users\user\AppData\Local\Temp\Temp1_il222.zip\PrivacyDrive.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\Temp1_il222.zip\PrivacyDrive.exe"
Size:	2881672
MD5:	80C2A36E9A14E3EDBA0B706D2433D9B8
Time:	11:42:00
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	2904064
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2436
Target ID:	14
Parent PID:	804
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	11:41:29
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff69c140000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1712

Details

Is windows:	true
Is dropped:	false
PID:	2824
Target ID:	24
Parent PID:	364
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1712
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	11:42:10
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xeb0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://finalstepgo.com/uploads/il2.txt

covvercilverow.shop

pumpkinkwquo.shop

abortinoiwiam.shop

deallyharvenw.shop

defenddsouneuw.shop

priooozekw.shop

https://racedsuitreow.shop/api

172.67.206.221

surroundeocw.shop

racedsuitreow.shop

candleduseiwo.shop

https://finalstepgo.com/uploads/il2.txt

https://www.cloudflare.com/learning/access-management/phishing-attack/

unknown

http://www.broofa.com

unknown

https://finalstepgo.com/favicon.ico

185.255.122.133

https://finalstepgo.com/uploads/il222.zip

185.255.122.133

https://www.google.com/async/newtab_promos

142.250.185.132

https://racedsuitreow.shop/apib

unknown

https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SpvAvsXfWWo.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-MoqWi0fF1M09Ccs-6QfulXvxfdg/cb=gapi.loaded_0

142.250.184.238

http://www.privacy-drive.comx

unknown

https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1

unknown

https://racedsuitreow.shop/w

unknown

https://plus.google.com

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://www.google.com/async/ddljson?async=ntp:2

142.250.185.132

https://play.google.com/log?format=json&hasfast=true

142.250.186.110

https://www.cloudflare.com/5xx-error

unknown

https://racedsuitreow.shop/

unknown

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

142.250.185.132

https://csp.withgoogle.com/csp/lcreport/

unknown

https://racedsuitreow.shop/_

unknown

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

142.250.185.132

https://apis.google.com

unknown

https://domains.google.com/suggest/flow

unknown

https://racedsuitreow.shop/api4

unknown

https://clients6.google.com

unknown

https://racedsuitreow.shop/api6

unknown

There are 26 hidden URLs, click here to show them.

Domains

Name

Malicious

racedsuitreow.shop

172.67.206.221

Details

Name:	racedsuitreow.shop
IP:	172.67.206.221
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

apis.google.com

unknown

Details

Name:	apis.google.com
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

candleduseiwo.shop

unknown

Details

Name:	candleduseiwo.shop
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

plus.l.google.com

142.250.184.238

play.google.com

142.250.186.110

Details

Name:	play.google.com
IP:	142.250.186.110
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

www.google.com

142.250.185.132

Details

Name:	www.google.com
IP:	142.250.185.132
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

finalstepgo.com

185.255.122.133

Details

Name:	finalstepgo.com
IP:	185.255.122.133
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

192.168.2.17

unknown

172.67.206.221

racedsuitreow.shop

United States

Details

IP:	172.67.206.221
TargetID:	19
Current Path:	C:\Users\user\AppData\Local\Temp\Temp1_il222.zip\PrivacyDrive.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	racedsuitreow.shop

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

142.250.185.132

www.google.com

United States

192.168.2.4

unknown

192.168.2.5

unknown

185.255.122.133

finalstepgo.com

Netherlands

239.255.255.250

unknown

Reserved

142.250.186.110

play.google.com

United States

142.250.184.238

plus.l.google.com

United States

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018C00B92EA0FCD

Details

TargetID:	24
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
Value name:	0018C00B92EA0FCD
Value data:	01 00 00 00 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 F8 89 66 F2 06 CF D1 48 9E 5A 08 0F E4 9C 09 AE 00 00 00 00 02 00 00 00 00 00 10 66 00 00 00 01 00 00 20 00 00 00 55 E9 DE 44 BB 29 F9 5B 0D 57 FE 95 52 C8 FE 36 90 D4 27 68 17 4F 5A 19 D8 72 E7 04 FA 40 22 1F 00 00 00 00 0E 80 00 00 00 02 00 00 20 00 00 00 CB C4 2C 26 02 68 ED C2 A7 65 C1 96 D2 F1 14 4F 83 FF C2 D5 2A 17 1A D3 47 A6 D1 D7 B7 0B 02 B2 80 00 00 00 43 AB E9 9F 42 41 1A 55 5B 59 C6 FF A4 11 5A DC EA 53 C3 ED B0 61 08 FD C0 F3 9F 36 42 71 83 BA BC 7B 73 93 F7 F1 A4 F8 B1 33 8E 4C 0D 00 F3 8A A3 33 6E 55 CA 05 48 34 F6 0C 4F D3 6F 98 20 9C 39 C2 99 57 FF DF 75 96 06 60 48 3E DA 93 FF 7C 00 77 5A 0C FB 83 CE 7B EC 39 56 41 EE C2 AF BF F8 51 D3 41 8A A3 A3 E6 1E F9 81 DB E6 3E FD 42 C2 1B 37 E2 66 6D 40 9B AE 9C 6F FF BB A2 7D 4D 40 00 00 00 46 68 DC 38 EE 6E A3 86 B7 A1 55 08 B2 5D 7E 44 61 D4 ED C2 B7 3C 08 E6 F3 CE F8 07 D4 28 0D 98 5B 4F 0C 80 24 86 CE 53 48 0F E7 92 84 C1 95 6E 1A 92 5F 69 AE FA E6 63 73 F5 9B B7 C8 27 97 7E

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

Details

TargetID:	24
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Value name:	DeviceTicket
Value data:	01 00 00 00 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 F8 89 66 F2 06 CF D1 48 9E 5A 08 0F E4 9C 09 AE 00 00 00 00 02 00 00 00 00 00 10 66 00 00 00 01 00 00 20 00 00 00 6E 76 0B DE B9 53 DF 16 36 EE 4E 79 59 1B 30 90 EC E1 70 0C E5 9F 5A A1 CA 46 47 8A D5 C2 BD 1F 00 00 00 00 0E 80 00 00 00 02 00 00 20 00 00 00 88 07 D0 81 78 34 16 0C 80 79 B3 35 B2 EF 38 58 4A FF 88 68 38 44 5E 22 5E 31 03 2A DD 5C AD 0B 20 08 00 00 E1 78 60 36 E5 63 C9 C8 8D 35 ED E4 4E F6 9E 72 A6 00 82 12 E9 B9 FB 4B FB 53 BA 67 1A 21 0B 03 66 D2 6E 6D A1 6B 5C 7B 9C AE C0 CC FA BC 10 EE CD 44 82 AD 89 AD 17 DB FC 33 D4 A1 CE C7 93 54 E6 0E DF A4 8A 2F 81 03 AE D1 42 96 54 0A 65 D7 A5 C8 0E 3B E6 8A 7D A2 7F 07 02 FD 50 4D 14 F7 83 4E 36 C1 09 86 4A 53 9D 61 15 E0 67 3F 5B 43 B1 4B 80 0C B9 01 AA 03 7F 5E 4B 5A CF 5C 85 B8 96 64 5A F9 CB 9D BA ED B2 D9 94 75 4F A4 A6 88 68 BA 91 08 E1 EB AF B3 EF 7C 05 51 17 EF BE B2 A7 61 20 AB E6 B0 9E CB 5A 51 28 F9 6D 1C 33 37 5E 06 56 72 88 F5 DA AF B0 38 38 FD 54 AF 95 3E D1 92 9F 02 DC 1F 12 D5 E7 D4 FA 96 96 7E B2 4D 4D A5 74 F8 1E 49 00 1B D5 A3 58 97 24 9D 2E 8E 05 EF DA 77 10 76 99 F2 56 D8 F8 60 AE FB 7E FA 11 16 11 62 DA DD 71 17 13 68 74 3C 42 0D E7 4C 80 19 AE 1C 71 94 A5 AF 37 C4 5A C0 98 40 80 2E 27 DA 47 53 C8 D1 68 9F 54 C4 26 8D C2 DA DD 80 C5 C4 EA F6 4F 9F 6B C5 8C B2 F4 84 94 25 A5 F8 74 7D 31 26 10 66 51 2D F2 B9 98 EE 9F EC A3 E4 26 19 2B 43 B1 95 56 6F AE B1 CD 7C 1F 1C 34 03 4B 84 89 91 22 D4 70 77 AE D1 62 DB 14 9D 9B FE B7 70 C2 2B B2 2A D7 12 B3 CC C9 1D 76 B1 31 7C A0 4A 7D B8 9D C4 4D 60 D6 E2 FD BF 65 01 AC 44 4F 8D 4D F0 8E AD 97 3B 52 32 BA BB 76 7B 94 7B 75 02 F8 EE E5 F7 2C 38 FB 42 B8 4C 93 06 45 01 A1 34 73 12 C4 96 6D 0E B8 DF E9 FB 5D 4D 28 E2 E9 F4 3F 30 DF 5A 75 BB F1 BE ED 01 E3 B1 23 20 0E A1 81 57 EA 61 97 AB DD 1A 75 A1 7C 8B D0 57 00 FA 02 26 F6 EB CC DA 90 39 00 61 07 65 B8 E4 B5 7F BE FF CF A6 D5 E8 CE D8 0E A5 11 EE BD 81 61 C5 DB 99 38 8A 9C E9 3B FE 43 E6 8C 12 37 CD 27 3C 02 70 A0 00 A7 6F 49 36 F5 B7 4A DB A5 4C 9E D2 79 02 43 21 66 4C CB 56 DE A4 00 06 C2 3B EF D7 25 4B D2 6E C3 3B 0B EE E7 28 E5 72 E5 54 0E F8 4D 01 FD 58 6F EA B5 6D 04 23 38 81 3A AF 82 A8 C5 71 30 FB C9 A6 D3 92 7C BF 0D 2F 23 FF 3B 8C 3B 32 D0 8B 65 82 F6 3F D0 E0 D0 B4 2A 71 FC CE 64 D7 5E 3C C9 24 08 D7 A1 05 44 33 78 E4 DF 28 2D EE 05 C6 B2 45 46 24 4D E6 56 0B B7 67 40 86 A8 7A C5 57 36 A3 EF 07 43 44 2E 1F 84 0D 80 E8 5A 95 5D 1E 3F CA 45 90 C0 13 89 B3 D3 5F 4B 9C 68 BC C2 43 38 02 FD C3 F6 84 2C FA 77 57 E3 00 B8 AC E8 66 A4 D4 06 D2 DB 34 9C 8F 19 E6 8D 75 27 DF 2A E4 CD E6 D4 50 68 D6 31 F7 60 4C 19 1F 5A 36 33 1D C2 0E 3F 34 8F 19 08 4C 74 38 6B 8A 86 52 94 EA 87 DE D0 7D A6 67 0E D0 EE E6 18 88 87 8D AC BF 97 8C E3 1A 2C DF 16 5B C9 31 FE BC C6 BD 18 D3 EA 77 86 A6 24 60 4B B0 31 76 12 94 E7 F5 21 F4 96 F5 D6 64 57 2A 86 0D AE 6E A3 08 66 CF C2 96 4C B9 47 25 5E CF 1C E9 C6 E6 E1 B3 BC F7 B9 B2 55 23 33 8D C3 CA 48 F3 53 B3 CC DC 2E C8 BC B4 12 53 84 54 33 95 F5 A9 EE 6D 87 53 99 29 48 1E 2B 80 F4 F1 1D 48 9B 4A 7A F9 E9 CF C0 F6 79 59 B5 54 5F 4D 07 74 3A 55 F2 B2 63 A3 76 59 CA 13 59 08 76 F7 D1 EA 2F 4A 75 BF 0C C8 7A 6D 82 70 F5 EA C3 5D AC 63 D8 F6 27 5B FE E5 12 37 6E D4 FD C0 74 45 BF 41 2B C4 6B 6C 68 99 3B A7 16 90 5A 8D 4C DD 5C 91 30 BF 1E BA 36 FB 36 D1 0E C3 AB 73 1F E6 E4 3D 7A 0A 6E BD 72 C2 8F 8E D3 61 40 1E 77 3B 1C 24 5A 1B EF 87 9A A7 14 C2 B7 B5 37 31 69 30 37 CC 70 D7 AF 95 AE 72 13 6F A8 E7 E5 15 99 29 A3 1A EA D2 BB B6 3B 13 8E AB 10 BA 7E 71 A2 79 7B 23 E3 B8 8C 95 B8 57 8E 0A 7B 06 70 1F 97 0B 74 FB C1 C0 AB 59 D7 F1 32 65 11 B5 88 32 3B 5D 52 64 1F 0A 8B EC 6E 43 F3 14 E3 7F 75 CB 4C 1D 7F B0 57 1F 97 EC 67 10 B7 24 36 00 B1 E2 87 5A C9 0E 5B 57 3A EB 94 56 86 49 7F 52 56 A5 57 91 8C A8 83 46 D4 E5 A3 8D C8 13 A7 CC 92 9B 0C 7B D4 00 88 AB 78 42 3B 77 B2 08 A2 68 16 FF 43 6B 5D 38 D6 8C ED DD 51 07 79 8F F5 B6 61 C2 0A 98 18 A1 A6 A3 46 29 22 35 35 5D 17 6C 41 C9 37 FD 12 89 9C 78 7E FF 9F 4F 41 38 F2 75 11 7E B9 81 B7 0F 7A FC AB 90 69 10 E9 6C 8B 1F B2 13 41 77 C9 CD 07 8A 2F 16 55 03 54 BA 73 50 1E 70 AA AD A0 D7 16 DC FE A9 23 2E BC FD B7 6F 96 53 E4 FE 72 46 A3 56 7D EC 2E FF BC BA 5B 3D B4 09 A2 C8 0E 27 91 18 9D 30 E6 90 2D F0 B7 83 4F 53 F6 17 94 13 CE B6 D7 9D B3 E9 C3 4B 01 2A F7 2C 1D 57 FE C5 D0 40 31 AB D4 C3 77 6E 78 A7 75 F7 58 AE 62 B6 A5 40 0D A4 3A 33 0C 24 1D 54 40 FB 36 E2 A4 E9 B1 93 25 8D 0E 3B 7F 31 06 46 1F 7D D3 80 FE ED 6A 18 DD 66 7F 7B 7B 25 0D A1 7E 9E D0 3B E6 4E 7D AD 4B 85 CF 2A 13 5B 07 54 DE 2C 51 50 60 DD 1E 1E AC 7E C7 0C 6D 0C DA A4 7C FD B3 4C 68 F4 38 CB 74 22 2C B7 9A 4F E2 AE 48 AD AB 19 9A AD 5E 4D 1C CC CD 36 AA 5D 77 B4 46 95 92 F3 47 1B 06 2F 23 4B 46 F1 B5 0C A5 A9 A6 57 ED DE 28 5D 3D 0B 2E 37 25 E2 EC F4 B0 16 5C F0 87 64 BC 79 3F 1B C9 F2 AC 4D DD 94 29 35 12 DF FD 56 AB F7 1A 12 05 0C E8 A3 C7 97 F0 FF 0D 92 17 B7 6D C3 C6 D0 FD 21 C6 FF 5C 1E E7 71 24 64 E9 46 6D B0 63 2C 24 2D 4A 26 A1 21 F2 B9 A5 D6 7A BE B4 E4 BB 4F 42 0B 3C 10 96 7F 6A F4 B8 90 12 EB 29 DC 0F 48 08 E5 50 A5 69 4E 86 E5 40 E9 F9 73 78 6E 19 F7 F7 29 A2 84 68 68 20 7F 6A B2 D3 5F DF EB E1 1C ED EA 3D 86 C4 C3 8F 04 DF 7B E9 EE B2 79 E9 11 AE 4B 32 E1 54 5A EA 7B 7C 22 64 1E 8C 1B 79 7F 69 EC B9 83 81 7D 95 39 2A 6E 58 C9 3C 38 7F 4D 81 72 A3 9E B8 2F 48 2B 35 8F 39 FA 30 18 22 60 D7 58 6B 4F E6 34 3B 60 08 CC AF 03 7E 79 12 E0 A4 89 52 03 25 E7 49 28 92 AC D8 69 06 1A C3 C7 10 15 2E 90 2F 58 CB ED CD 3F 35 D6 6A FF D4 60 68 C8 B7 BC 59 E0 34 1E BC CD E9 4F 9F D7 08 16 AF 47 EF E4 87 97 5C D3 24 53 AF 58 F7 D4 10 A6 D4 C0 58 97 5B F9 99 48 DA EB B3 7F 5E 7A D6 E5 7B D1 0F 60 D7 4D CD 44 8C 1F AB 6B 6F 54 8E 67 86 C5 87 50 0F F1 EB DF 30 BF E6 C5 1A 41 F0 CD FF 6A 54 1C 94 CB 87 6C 45 3A D0 3C F5 57 E5 8D 62 26 36 26 64 D5 F5 A0 2E 8D A2 24 24 A1 68 B7 74 06 7A 50 00 23 82 9D C1 9D EA C2 D7 20 5D EC 34 9E 2B 93 E4 84 94 52 FD 7B 6C 06 F2 0C 1E E7 01 E1 C2 C1 61 7F 40 E3 31 F0 58 CF 1A 9E 19 AD 5D 72 81 78 52 39 80 FD AA 22 C3 3A EC B6 56 71 EB AE 06 6F 96 65 2A 7A 60 A0 28 5A BA 94 39 65 66 24 52 4C A5 6C FA 8F 25 E3 2D 76 55 6B 5C 3B F4 CE D1 65 72 08 06 6C 8B 2E 9F C6 E2 59 F0 8F 18 85 AC A6 54 02 09 66 F7 E4 DD C5 50 9B FD 03 D8 01 52 E3 7F D0 4A 52 99 34 01 8E A9 35 36 C5 FE 8F C6 43 CD EA 85 6B 6A 09 6A 17 2D FE EC FA 7A 81 8A 7A 08 6D E7 F4 2A C2 B6 E8 95 DE 30 D9 CD FD F1 56 3C 5D 05 1F 32 A8 A2 D4 B0 A0 41 FA 63 72 5E 39 BA 4D 02 D6 7F 98 C2 1D CC 35 75 38 CB EC 9B E8 EE 10 AB 16 E8 5D 18 49 7B 84 C8 B9 B3 C3 BF 27 EA F8 B7 2D 55 39 C8 F9 9E B6 53 B9 B9 86 3A 37 8D 59 2E D4 1F 45 5B 41 70 69 90 8B EC 81 92 8C 6E B2 6A C3 7A FD 71 A3 87 E6 6E 91 3C A0 87 81 44 CE 1B 0A 6A 41 85 5D 8B B4 E7 27 EA 32 CE 08 B4 9B CB 35 48 B3 AD DA D2 55 B3 82 27 5A 40 00 00 00 0D 57 79 9D E0 AB AB 43 B1 FB 2A AC 05 0D 8F D2 BF 9E E6 37 1D 88 79 A9 C6 3B BC CC 41 29 CE 27 40 ED 03 BF 62 0A 01 8E 78 77 B1 51 4F 43 42 A1 C7 0B 9E A0 CB CA 58 AE 86 36 71 4E D6 68 38 4A

Memdumps

Base Address

Regiontype

Protect

Malicious

1010000

direct allocation

page execute and read and write

5C1000

unkown

page readonly

6B00000

remote allocation

page read and write

1978000

heap

page read and write

1004000

heap

page read and write

400000

unkown

page readonly

5A2B000

stack

page read and write

7EDD000

stack

page read and write

18AC000

heap

page read and write

1970000

heap

page read and write

552000

unkown

page readonly

4941000

heap

page read and write

4930000

heap

page read and write

1919000

heap

page read and write

1894000

heap

page read and write

1090000

heap

page read and write

18A0000

heap

page read and write

1878000

heap

page read and write

26ADFA60000

heap

page read and write

318F000

stack

page read and write

9C000

stack

page read and write

904F000

stack

page read and write

F4E000

stack

page read and write

6AED000

stack

page read and write

190A000

heap

page read and write

1004000

heap

page read and write

1004000

heap

page read and write

62AE000

stack

page read and write

18DA000

heap

page read and write

4931000

heap

page read and write

117E000

stack

page read and write

1915000

heap

page read and write

26ADFA67000

heap

page read and write

5CB3000

trusted library allocation

page read and write

190C000

heap

page read and write

873F000

stack

page read and write

F0E000

stack

page read and write

18A0000

heap

page read and write

4931000

heap

page read and write

1004000

heap

page read and write

5A8F000

unclassified section

page readonly

4931000

heap

page read and write

1E0000

heap

page read and write

18AB000

heap

page read and write

401000

unkown

page execute read

62ED000

stack

page read and write

26ADFDD5000

heap

page read and write

17F3000

heap

page read and write

F8E000

stack

page read and write

298F000

stack

page read and write

1004000

heap

page read and write

4931000

heap

page read and write

18BC000

heap

page read and write

5BA000

unkown

page read and write

6B00000

remote allocation

page read and write

187E000

heap

page read and write

FEE000

stack

page read and write

10E0000

direct allocation

page read and write

CF37BFC000

stack

page read and write

1070000

heap

page read and write

5ABA000

trusted library allocation

page read and write

4931000

heap

page read and write

26ADFDD0000

heap

page read and write

5A31000

unclassified section

page execute read

1972000

heap

page read and write

601000

unkown

page readonly

552000

unkown

page readonly

1908000

heap

page read and write

1883000

heap

page read and write

1970000

heap

page read and write

14F9000

heap

page read and write

18B0000

heap

page read and write

26ADFC60000

heap

page read and write

768D000

stack

page read and write

13FB000

heap

page read and write

100000

heap

page read and write

1004000

heap

page read and write

26ADFD30000

heap

page read and write

6E8E000

stack

page read and write

15F7000

heap

page read and write

CF37F7F000

stack

page read and write

18C7000

heap

page read and write

4940000

heap

page read and write

5AA0000

heap

page read and write

CF37EFF000

stack

page read and write

76DD000

stack

page read and write

188D000

heap

page read and write

5C0000

unkown

page read and write

10DC000

stack

page read and write

13FB000

heap

page read and write

190E000

heap

page read and write

18A9000

heap

page read and write

5A7C000

unclassified section

page readonly

4931000

heap

page read and write

16F5000

heap

page read and write

187B000

heap

page read and write

18C4000

heap

page read and write

5AC000

unkown

page read and write

FB0000

trusted library allocation

page read and write

5CB000

unkown

page readonly

1000000

heap

page read and write

189D000

heap

page read and write

5C7C000

trusted library allocation

page read and write

1004000

heap

page read and write

1180000

heap

page read and write

26ADFB60000

heap

page read and write

6B00000

remote allocation

page read and write

522F000

stack

page read and write

18FB000

heap

page read and write

127E000

heap

page read and write

ECD000

stack

page read and write

1872000

heap

page read and write

4931000

heap

page read and write

218F000

stack

page read and write

26ADFC40000

heap

page read and write

5A7F000

unclassified section

page write copy

5A84000

unclassified section

page read and write

1886000

heap

page read and write

1872000

heap

page read and write

879E000

stack

page read and write

8840000

heap

page read and write

CF37E7E000

stack

page read and write

7F3E000

stack

page read and write

5AC000

unkown

page write copy

18CF000

heap

page read and write

18D6000

heap

page read and write

1896000

heap

page read and write

There are 117 hidden memdumps, click here to show them.

DOM / HTML

URL

Malicious

https://finalstepgo.com/uploads/il2.txt

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://finalstepgo.com/uploads/il2.txt

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

DOM / HTML

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://finalstepgo.com/uploads/il2.txt

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

DOM / HTML

IOC Report
https://finalstepgo.com/uploads/il2.txt