Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

.05.2024.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.922347728733782
Filename:	.05.2024.exe
Filesize:	526336
MD5:	d3720192678d263171733ef9ba7fa67c
SHA1:	1215ed86a8d470428d98cfe91eafb13c491dbcb4
SHA256:	e5c2ca734e0aaf255809667c558bad65384fe32f5a5fa2b7152cf01958916943
SHA512:	037563164849d5ae7db4acd308e45fb7cbffc3f564ba71a09cc6a6d8c9c764aa95f69667cbb40783cd026fa599b7bb3c3249c4abee4d142f027c4d6e62c59999
SSDEEP:	12288:8tLn7qQ74Si3SW2HRawGaSUtEry10Vlnv9AVwu:o7J7niiW2xaHmClnKVwu
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S^.f................................. ........@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Moves itself to temp directory	Hooking and other Techniques for Hiding and Protection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data
Enables debug privileges	Anti Debugging
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\.05.2024.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\.05.2024.exe.log
Category:	dropped
Dump:	.05.2024.exe.log.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Users\user\Desktop\.05.2024.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.8.dr
ID:	dr_1
Target ID:	8
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.379552885213346
Encrypted:	false
Ssdeep:	48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCsIfA2KRHmOugw1s
Size:	2232
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xusvxm1.sgs.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xusvxm1.sgs.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_1xusvxm1.sgs.ps1.8.dr
ID:	dr_4
Target ID:	8
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hiw2simt.mfn.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hiw2simt.mfn.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_hiw2simt.mfn.psm1.8.dr
ID:	dr_5
Target ID:	8
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hj0k2r1s.ffs.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hj0k2r1s.ffs.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_hj0k2r1s.ffs.psm1.8.dr
ID:	dr_3
Target ID:	8
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ombvvhhf.taa.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ombvvhhf.taa.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_ombvvhhf.taa.ps1.8.dr
ID:	dr_2
Target ID:	8
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\.05.2024.exe

"C:\Users\user\Desktop\.05.2024.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4296
Target ID:	4
Parent PID:	4056
Name:	.05.2024.exe
Path:	C:\Users\user\Desktop\.05.2024.exe
Commandline:	"C:\Users\user\Desktop\.05.2024.exe"
Size:	526336
MD5:	D3720192678D263171733EF9BA7FA67C
Time:	06:52:04
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x120000
Modulesize:	548864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Machine Learning detection for sample	AV Detection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\.05.2024.exe"

Details

Is windows:	true
Is dropped:	false
PID:	968
Target ID:	8
Parent PID:	4296
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\.05.2024.exe"
Size:	433152
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Time:	06:52:05
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	446464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\.05.2024.exe

"C:\Users\user\Desktop\.05.2024.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1424
Target ID:	10
Parent PID:	4296
Name:	.05.2024.exe
Path:	C:\Users\user\Desktop\.05.2024.exe
Commandline:	"C:\Users\user\Desktop\.05.2024.exe"
Size:	526336
MD5:	D3720192678D263171733EF9BA7FA67C
Time:	06:52:05
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x490000
Modulesize:	548864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Machine Learning detection for sample	AV Detection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1432
Target ID:	9
Parent PID:	968
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	06:52:05
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wbem\WmiPrvSE.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	7400
Target ID:	12
Parent PID:	748
Name:	WmiPrvSE.exe
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Size:	496640
MD5:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Time:	06:52:10
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	true
Modulebase:	0x7ff7fb730000
Modulesize:	516096
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.telegram.org/bot6783395654:AAGHZk1wugh441q673h1nDNWiVYW4p6ewXc/sendDocument?chat_id=-4209622687&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake

149.154.167.220

https://api.telegram.org

unknown

https://api.telegram.org/bot

unknown

https://api.telegram

unknown

http://checkip.dyndns.org/

193.122.130.0

https://api.telegram.org/botx

unknown

http://api.telegram.orgx

unknown

https://api.telegram.org/bot6783395654:AAGHZk1wugh441q673h1nDNWiVYW4p6ewXc/sendDocument?chat_id=-420

unknown

http://checkip.dyndns.org/q

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

http://api.telegram.org

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.130.0

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	10
Current Path:	C:\Users\user\Desktop\.05.2024.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	10
Current Path:	C:\Users\user\Desktop\.05.2024.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.130.0

checkip.dyndns.com

United States

Details

IP:	193.122.130.0
TargetID:	10
Current Path:	C:\Users\user\Desktop\.05.2024.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

357C000

trusted library allocation

page read and write

278C000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

26D1000

trusted library allocation

page read and write

4D50000

trusted library allocation

page read and write

4974000

trusted library allocation

page read and write

CB0000

trusted library allocation

page read and write

78A000

trusted library allocation

page execute and read and write

4970000

trusted library allocation

page read and write

AE0000

trusted library allocation

page read and write

2768000

trusted library allocation

page read and write

27E6000

trusted library allocation

page read and write

2BE6000

trusted library allocation

page read and write

9DE000

stack

page read and write

B5A000

heap

page read and write

2A06000

trusted library allocation

page read and write

806000

heap

page read and write

2BEE000

trusted library allocation

page read and write

280F000

trusted library allocation

page read and write

4D22000

trusted library allocation

page read and write

27A2000

trusted library allocation

page read and write

B07000

heap

page read and write

5330000

trusted library allocation

page read and write

76D000

trusted library allocation

page execute and read and write

272F000

trusted library allocation

page read and write

486E000

stack

page read and write

2784000

trusted library allocation

page read and write

EC0000

heap

page read and write

422000

remote allocation

page execute and read and write

AC5000

heap

page read and write

50DF000

stack

page read and write

4963000

heap

page read and write

2BBE000

trusted library allocation

page read and write

8B6000

heap

page read and write

9660000

trusted library allocation

page execute and read and write

6510000

trusted library allocation

page read and write

2774000

trusted library allocation

page read and write

27D6000

trusted library allocation

page read and write

CE2000

trusted library allocation

page read and write

6A70000

heap

page read and write

2C0E000

trusted library allocation

page read and write

6A79000

heap

page read and write

4CFB000

trusted library allocation

page read and write

26B0000

trusted library allocation

page read and write

273E000

trusted library allocation

page read and write

9880000

heap

page read and write

241F000

stack

page read and write

9645000

trusted library allocation

page read and write

3489000

trusted library allocation

page read and write

36D1000

trusted library allocation

page read and write

987D000

stack

page read and write

4A30000

trusted library allocation

page execute and read and write

CD0000

trusted library allocation

page read and write

CE7000

trusted library allocation

page execute and read and write

1A2000

unkown

page readonly

6550000

trusted library allocation

page execute and read and write

703E000

stack

page read and write

CF0000

heap

page read and write

2C0A000

trusted library allocation

page read and write

6A60000

heap

page read and write

29E6000

trusted library allocation

page read and write

2A36000

trusted library allocation

page read and write

A3E000

stack

page read and write

27FB000

trusted library allocation

page read and write

4A40000

trusted library allocation

page read and write

282B000

trusted library allocation

page read and write

5100000

trusted library allocation

page read and write

AF0000

heap

page execute and read and write

29D6000

trusted library allocation

page read and write

2A3A000

trusted library allocation

page read and write

764000

trusted library allocation

page read and write

4428000

trusted library allocation

page read and write

B29000

heap

page read and write

4A42000

trusted library allocation

page read and write

3755000

trusted library allocation

page read and write

AAD000

heap

page read and write

27FF000

trusted library allocation

page read and write

50AE000

stack

page read and write

73C71000

unkown

page execute read

60AB000

heap

page read and write

2690000

heap

page execute and read and write

4E6D000

stack

page read and write

27DA000

trusted library allocation

page read and write

2827000

trusted library allocation

page read and write

4B50000

heap

page execute and read and write

2C1A000

trusted library allocation

page read and write

2670000

trusted library allocation

page read and write

29EE000

trusted library allocation

page read and write

4F70000

heap

page read and write

5348000

trusted library allocation

page read and write

61BF000

stack

page read and write

49B0000

trusted library allocation

page read and write

2850000

trusted library allocation

page read and write

2310000

heap

page read and write

498E000

trusted library allocation

page read and write

B86000

heap

page read and write

534B000

trusted library allocation

page read and write

9D3E000

stack

page read and write

4D8D000

stack

page read and write

2BF2000

trusted library allocation

page read and write

2BC6000

trusted library allocation

page read and write

96AD000

stack

page read and write

64E0000

trusted library allocation

page read and write

99BE000

stack

page read and write

4D0E000

trusted library allocation

page read and write

2BDA000

trusted library allocation

page read and write

9EBB000

stack

page read and write

64C0000

trusted library allocation

page execute and read and write

6A83000

heap

page read and write

2AB7000

trusted library allocation

page read and write

CD6000

trusted library allocation

page execute and read and write

62FE000

stack

page read and write

4D65000

heap

page read and write

AB9000

heap

page read and write

920000

heap

page read and write

60B5000

heap

page read and write

3421000

trusted library allocation

page read and write

2BE2000

trusted library allocation

page read and write

4D0A000

trusted library allocation

page read and write

CDA000

trusted library allocation

page execute and read and write

80A000

heap

page read and write

22F0000

heap

page read and write

6B0000

heap

page read and write

4996000

trusted library allocation

page read and write

CB4000

trusted library allocation

page read and write

497B000

trusted library allocation

page read and write

27E2000

trusted library allocation

page read and write

120000

unkown

page readonly

50F0000

trusted library section

page read and write

65D0000

heap

page read and write

64F0000

trusted library allocation

page read and write

CE5000

trusted library allocation

page execute and read and write

2A22000

trusted library allocation

page read and write

45FC000

stack

page read and write

A70000

heap

page read and write

2BB2000

trusted library allocation

page read and write

6A87000

heap

page read and write

713E000

stack

page read and write

6BAE000

stack

page read and write

22EE000

stack

page read and write

773000

trusted library allocation

page read and write

763000

trusted library allocation

page execute and read and write

3739000

trusted library allocation

page read and write

63BE000

stack

page read and write

282F000

trusted library allocation

page read and write

29DE000

trusted library allocation

page read and write

60D9000

heap

page read and write

CBD000

trusted library allocation

page execute and read and write

2764000

trusted library allocation

page read and write

2BEA000

trusted library allocation

page read and write

786000

trusted library allocation

page execute and read and write

27EF000

trusted library allocation

page read and write

2864000

trusted library allocation

page read and write

60F6000

heap

page read and write

617D000

stack

page read and write

2421000

trusted library allocation

page read and write

77D000

trusted library allocation

page execute and read and write

2A0E000

trusted library allocation

page read and write

68FE000

stack

page read and write

A0FE000

stack

page read and write

29E2000

trusted library allocation

page read and write

292C000

trusted library allocation

page read and write

81F000

heap

page read and write

5EFE000

stack

page read and write

7E0000

heap

page read and write

6A7B000

heap

page read and write

814000

heap

page read and write

891000

heap

page read and write

60ED000

heap

page read and write

611D000

heap

page read and write

50EE000

stack

page read and write

280B000

trusted library allocation

page read and write

2813000

trusted library allocation

page read and write

2C1E000

trusted library allocation

page read and write

4CFE000

trusted library allocation

page read and write

2BFE000

trusted library allocation

page read and write

A98000

heap

page read and write

64E9000

trusted library allocation

page read and write

4D60000

heap

page read and write

4B20000

trusted library section

page readonly

29F6000

trusted library allocation

page read and write

537000

stack

page read and write

29FE000

trusted library allocation

page read and write

9C3E000

stack

page read and write

6CB0000

trusted library section

page read and write

499D000

trusted library allocation

page read and write

C8E000

stack

page read and write

A110000

trusted library allocation

page read and write

CA0000

trusted library allocation

page read and write

2680000

trusted library allocation

page read and write

29CE000

trusted library allocation

page read and write

2C12000

trusted library allocation

page read and write

4991000

trusted library allocation

page read and write

2C02000

trusted library allocation

page read and write

2BD6000

trusted library allocation

page read and write

2A1E000

trusted library allocation

page read and write

EA0000

trusted library allocation

page read and write

603F000

stack

page read and write

49A2000

trusted library allocation

page read and write

2BC2000

trusted library allocation

page read and write

61FE000

stack

page read and write

4D90000

heap

page read and write

4D1D000

trusted library allocation

page read and write

2729000

trusted library allocation

page read and write

2A02000

trusted library allocation

page read and write

27F7000

trusted library allocation

page read and write

770000

trusted library allocation

page read and write

797000

trusted library allocation

page execute and read and write

49C0000

trusted library allocation

page read and write

67BE000

stack

page read and write

9FFE000

stack

page read and write

612D000

heap

page read and write

863000

heap

page read and write

73E000

stack

page read and write

9640000

trusted library allocation

page read and write

9AFE000

stack

page read and write

6FE000

stack

page read and write

261F000

stack

page read and write

400000

remote allocation

page execute and read and write

6500000

trusted library allocation

page execute and read and write

2760000

trusted library allocation

page read and write

3449000

trusted library allocation

page read and write

5A0000

heap

page read and write

2BAE000

trusted library allocation

page read and write

60CA000

heap

page read and write

A90000

heap

page read and write

2919000

trusted library allocation

page read and write

79B000

trusted library allocation

page execute and read and write

2C22000

trusted library allocation

page read and write

6B5000

heap

page read and write

2A12000

trusted library allocation

page read and write

CCD000

trusted library allocation

page execute and read and write

7EE000

heap

page read and write

29CA000

trusted library allocation

page read and write

276C000

trusted library allocation

page read and write

2BCE000

trusted library allocation

page read and write

2BBA000

trusted library allocation

page read and write

73C86000

unkown

page readonly

281F000

trusted library allocation

page read and write

2823000

trusted library allocation

page read and write

271F000

trusted library allocation

page read and write

CC0000

trusted library allocation

page read and write

2A1A000

trusted library allocation

page read and write

4EE0000

heap

page read and write

73C70000

unkown

page readonly

4F90000

heap

page read and write

439000

stack

page read and write

2A26000

trusted library allocation

page read and write

4950000

trusted library allocation

page read and write

2BB6000

trusted library allocation

page read and write

B80000

heap

page read and write

680000

heap

page read and write

2BF6000

trusted library allocation

page read and write

2931000

trusted library allocation

page read and write

4C90000

trusted library allocation

page execute and read and write

251E000

stack

page read and write

9FBC000

stack

page read and write

49E0000

trusted library allocation

page read and write

3429000

trusted library allocation

page read and write

285A000

trusted library allocation

page read and write

64BE000

stack

page read and write

29D2000

trusted library allocation

page read and write

6CAE000

stack

page read and write

2D08000

trusted library allocation

page read and write

7C0000

trusted library allocation

page read and write

B00000

heap

page read and write

6A90000

heap

page read and write

5345000

trusted library allocation

page read and write

4C8C000

stack

page read and write

44FC000

stack

page read and write

284B000

trusted library allocation

page read and write

7D0000

trusted library allocation

page execute and read and write

9BFE000

stack

page read and write

281B000

trusted library allocation

page read and write

2A2A000

trusted library allocation

page read and write

4CB1000

trusted library allocation

page read and write

376A000

trusted library allocation

page read and write

6640000

heap

page read and write

2770000

trusted library allocation

page read and write

6070000

heap

page read and write

2817000

trusted library allocation

page read and write

275C000

trusted library allocation

page read and write

36F9000

trusted library allocation

page read and write

277C000

trusted library allocation

page read and write

4C2E000

stack

page read and write

4BEE000

stack

page read and write

2660000

trusted library allocation

page read and write

5F0000

heap

page read and write

2BCA000

trusted library allocation

page read and write

4F7E000

heap

page read and write

EB0000

trusted library allocation

page execute and read and write

64D0000

trusted library allocation

page execute and read and write

2DF1000

trusted library allocation

page read and write

7B0000

heap

page read and write

6530000

trusted library allocation

page execute and read and write

27EB000

trusted library allocation

page read and write

4940000

trusted library allocation

page read and write

6083000

heap

page read and write

652E000

trusted library allocation

page read and write

4E80000

heap

page read and write

2BDE000

trusted library allocation

page read and write

8F7000

stack

page read and write

73C8F000

unkown

page readonly

122000

unkown

page readonly

6540000

trusted library allocation

page read and write

60E5000

heap

page read and write

6135000

heap

page read and write

609E000

heap

page read and write

4D16000

trusted library allocation

page read and write

2803000

trusted library allocation

page read and write

2780000

trusted library allocation

page read and write

6A69000

heap

page read and write

A120000

trusted library allocation

page read and write

2A0A000

trusted library allocation

page read and write

CB3000

trusted library allocation

page execute and read and write

60D0000

heap

page read and write

29F2000

trusted library allocation

page read and write

2471000

trusted library allocation

page read and write

4CF0000

trusted library allocation

page read and write

2A32000

trusted library allocation

page read and write

4AF0000

trusted library allocation

page read and write

2A2E000

trusted library allocation

page read and write

2BD2000

trusted library allocation

page read and write

2AC4000

trusted library allocation

page read and write

750000

trusted library allocation

page read and write

26C0000

heap

page read and write

283D000

trusted library allocation

page read and write

4B30000

heap

page read and write

49B5000

trusted library allocation

page read and write

2C06000

trusted library allocation

page read and write

5F3E000

stack

page read and write

27D2000

trusted library allocation

page read and write

4960000

heap

page read and write

60FF000

heap

page read and write

782000

trusted library allocation

page read and write

375E000

trusted library allocation

page read and write

2807000

trusted library allocation

page read and write

6520000

trusted library allocation

page read and write

9ABE000

stack

page read and write

CEB000

trusted library allocation

page execute and read and write

821000

heap

page read and write

6A94000

heap

page read and write

60AF000

heap

page read and write

2A16000

trusted library allocation

page read and write

5340000

trusted library allocation

page read and write

4D11000

trusted library allocation

page read and write

29EA000

trusted library allocation

page read and write

5A9000

stack

page read and write

73C8D000

unkown

page read and write

6A8B000

heap

page read and write

69FF000

stack

page read and write

60CD000

heap

page read and write

6F90000

trusted library section

page read and write

27DE000

trusted library allocation

page read and write

2CFC000

trusted library allocation

page read and write

760000

trusted library allocation

page read and write

273A000

trusted library allocation

page read and write

CD2000

trusted library allocation

page read and write

7FF000

heap

page read and write

68BF000

stack

page read and write

4B40000

heap

page read and write

6040000

heap

page read and write

46D8000

trusted library allocation

page read and write

2855000

trusted library allocation

page read and write

2BFA000

trusted library allocation

page read and write

50E0000

heap

page execute and read and write

5F5000

heap

page read and write

29FA000

trusted library allocation

page read and write

2C16000

trusted library allocation

page read and write

5DFE000

stack

page read and write

4A20000

heap

page read and write

2674000

trusted library allocation

page read and write

29DA000

trusted library allocation

page read and write

2742000

trusted library allocation

page read and write

27F3000

trusted library allocation

page read and write

7F410000

trusted library allocation

page execute and read and write

2A3E000

trusted library allocation

page read and write

49A0000

trusted library allocation

page read and write

4D93000

heap

page read and write

265C000

stack

page read and write

4CF6000

trusted library allocation

page read and write

2B5F000

trusted library allocation

page read and write

A40000

heap

page read and write

2778000

trusted library allocation

page read and write

4E70000

heap

page read and write

ADF000

stack

page read and write

4CC0000

heap

page read and write

There are 377 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
.05.2024.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report.05.2024.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
.05.2024.exe