Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.876578872512974
Filename:	file.exe
Filesize:	1030144
MD5:	c005d4ffa3e28c22b41a9d222598260a
SHA1:	57cc3a6540bc38c649ddfdd54fa4f3c8a2423677
SHA256:	799d10acbb0e2886c4d32c771964f4c2cb47f93c817cdc26a9acaefa3ba042cb
SHA512:	ce39903c46160deeee1c7b362000361a3f5a9243b2e180bbaafa5b8ab09cc09ca413ce32f4deb2074fa928110d25b3dae7465c849fc388a58ddf649a9caa3a68
SSDEEP:	24576:WdZE+NmjQ5WymWeoSAj6YztpJF+6Xkb1rlNF:YZbAjQ5WZW2KNFNXmF
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`!...r...r...r...s...r...s\|..r...s...r...s...r...rJ..r...s...r...s...r...s...r...s...r...s...rRich...r.......................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Roaming\2p4HikHFep.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\2p4HikHFep.exe
Category:	dropped
Dump:	2p4HikHFep.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.082476369292545
Encrypted:	false
Ssdeep:	3072:Vq6EgY6iYrUjxQMbwPP9ktwT9N3TAVtYSK6VcZqf7D34teqiOLibBOc:cqY6i/wPCKN3TAbYgVcZqf7DIXL
Size:	311296
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information	Data from Local System
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops certificate files (DER)	E-Banking Fraud
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe
Category:	dropped
Dump:	IDVNp0HKaI.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.1274870659064
Encrypted:	false
Ssdeep:	6144:ChhuRs6j+uinO16pSuHugxyyyuf7CQHKCt/qXiZDo3xOxAAFQXNDHrg49/2CXfG:kuRR8YmpHug/7bXtiyZAcaAFyNR9Oqf
Size:	501760
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Enables security privileges	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:17 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.4.dr
ID:	dr_7
Target ID:	4
Process:	C:\Users\user\AppData\Roaming\2p4HikHFep.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:17 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
Entropy:	3.467262442226708
Encrypted:	false
Ssdeep:	48:8S4d5TvGk0lRYrnvPdAKRkdAGdAKRFdAKR6P:8SSbH7
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2p4HikHFep.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2p4HikHFep.exe.log
Category:	dropped
Dump:	2p4HikHFep.exe.log.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Users\user\AppData\Roaming\2p4HikHFep.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
Size:	3274
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IDVNp0HKaI.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IDVNp0HKaI.exe.log
Category:	dropped
Dump:	IDVNp0HKaI.exe.log.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.345080863654519
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
Size:	1119
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\Tmp8D32.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp8D32.tmp
Category:	dropped
Dump:	Tmp8D32.tmp.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Users\user\AppData\Roaming\2p4HikHFep.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\Tmp8D43.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp8D43.tmp
Category:	dropped
Dump:	Tmp8D43.tmp.4.dr
ID:	dr_5
Target ID:	4
Process:	C:\Users\user\AppData\Roaming\2p4HikHFep.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.4.dr
ID:	dr_6
Target ID:	4
Process:	C:\Users\user\AppData\Roaming\2p4HikHFep.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7116
Target ID:	0
Parent PID:	4004
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1030144
MD5:	C005D4FFA3E28C22B41A9D222598260A
Time:	19:01:25
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd90000
Modulesize:	1044480
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe

"C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4568
Target ID:	2
Parent PID:	7116
Name:	IDVNp0HKaI.exe
Path:	C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe
Commandline:	"C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe"
Size:	501760
MD5:	B473C40205C61DC4750BC49F779908DD
Time:	19:01:25
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc60000
Modulesize:	524288
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\2p4HikHFep.exe

"C:\Users\user\AppData\Roaming\2p4HikHFep.exe"

Details

Is windows:	false
Is dropped:	true
PID:	1512
Target ID:	4
Parent PID:	7116
Name:	2p4HikHFep.exe
Path:	C:\Users\user\AppData\Roaming\2p4HikHFep.exe
Commandline:	"C:\Users\user\AppData\Roaming\2p4HikHFep.exe"
Size:	311296
MD5:	65C058E4A90D2EC70B03211D768B6ECC
Time:	19:01:25
Date:	28/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3460
Target ID:	3
Parent PID:	4568
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	19:01:25
Date:	28/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://tempuri.org/Entity/Id15V

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

https://discord.com/api/v9/users/

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

https://www.ecosia.org/newtab/

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

65.21.18.51

unknown

United States

Details

IP:	65.21.18.51
TargetID:	4
Current Path:	C:\Users\user\AppData\Roaming\2p4HikHFep.exe
Country:	United States
Countrycode:	USA
ASN number:	199592
ASN name:	CP-ASDE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	4
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

142000

unkown

page readonly

E09000

unkown

page read and write

DC4000

unkown

page read and write

C62000

unkown

page readonly

2471000

trusted library allocation

page read and write

497D000

trusted library allocation

page read and write

609E000

stack

page read and write

4976000

trusted library allocation

page read and write

BDE000

stack

page read and write

57C0000

heap

page read and write

6D36000

heap

page read and write

27D7000

trusted library allocation

page read and write

31F3000

trusted library allocation

page read and write

245E000

stack

page read and write

4950000

trusted library allocation

page read and write

76E000

heap

page read and write

2F9F000

trusted library allocation

page read and write

49A8000

trusted library allocation

page read and write

3113000

trusted library allocation

page read and write

2230000

trusted library allocation

page read and write

2FD1000

trusted library allocation

page read and write

263B000

trusted library allocation

page read and write

2262000

trusted library allocation

page read and write

113E000

stack

page read and write

372A000

trusted library allocation

page read and write

6DCA000

heap

page read and write

2FCE000

trusted library allocation

page read and write

6180000

trusted library allocation

page read and write

12CA000

trusted library allocation

page execute and read and write

5C5E000

stack

page read and write

34EF000

stack

page read and write

49EE000

trusted library allocation

page read and write

610000

heap

page read and write

61D0000

trusted library allocation

page execute and read and write

5660000

trusted library allocation

page execute and read and write

31BF000

trusted library allocation

page read and write

5820000

trusted library allocation

page read and write

3737000

trusted library allocation

page read and write

11C0000

heap

page read and write

34B8000

trusted library allocation

page read and write

2A03000

trusted library allocation

page read and write

6FA0000

trusted library allocation

page execute and read and write

2640000

trusted library allocation

page read and write

6130000

trusted library allocation

page read and write

6F78000

trusted library allocation

page read and write

7670000

trusted library allocation

page read and write

2330000

trusted library allocation

page read and write

6360000

trusted library allocation

page read and write

306E000

stack

page read and write

2FA0000

heap

page execute and read and write

354C000

trusted library allocation

page read and write

56AE000

stack

page read and write

7822000

trusted library allocation

page read and write

3223000

trusted library allocation

page read and write

61E0000

trusted library allocation

page execute and read and write

3471000

trusted library allocation

page read and write

749E000

stack

page read and write

5F23000

heap

page read and write

3221000

trusted library allocation

page read and write

CB6000

unkown

page readonly

60E0000

trusted library allocation

page read and write

3001000

trusted library allocation

page read and write

7F360000

trusted library allocation

page execute and read and write

49B0000

trusted library allocation

page read and write

43A000

stack

page read and write

6D2B000

heap

page read and write

5F11000

heap

page read and write

31CC000

trusted library allocation

page read and write

12D0000

heap

page read and write

34F3000

trusted library allocation

page read and write

31D8000

trusted library allocation

page read and write

13C2000

heap

page read and write

2313000

heap

page read and write

3080000

heap

page read and write

A30000

heap

page read and write

5C40000

trusted library allocation

page execute and read and write

6F30000

trusted library allocation

page read and write

519D000

stack

page read and write

2A4B000

trusted library allocation

page read and write

12C2000

trusted library allocation

page read and write

DC6000

unkown

page write copy

324F000

trusted library allocation

page read and write

177000

unkown

page readonly

6F70000

trusted library allocation

page read and write

1361000

heap

page read and write

4971000

trusted library allocation

page read and write

C6F000

heap

page read and write

2A1A000

trusted library allocation

page read and write

49A0000

trusted library allocation

page read and write

36A4000

trusted library allocation

page read and write

3215000

trusted library allocation

page read and write

5A6F000

stack

page read and write

223D000

trusted library allocation

page execute and read and write

13CE000

heap

page read and write

60F6000

trusted library allocation

page read and write

3555000

trusted library allocation

page read and write

4A30000

trusted library allocation

page read and write

73BF000

stack

page read and write

318F000

trusted library allocation

page read and write

1383000

heap

page read and write

5EE000

stack

page read and write

4982000

trusted library allocation

page read and write

5850000

heap

page read and write

1355000

heap

page read and write

6F23000

trusted library allocation

page read and write

3242000

trusted library allocation

page read and write

2F70000

trusted library allocation

page read and write

4C50000

trusted library allocation

page read and write

370B000

trusted library allocation

page read and write

70E0000

trusted library allocation

page read and write

3578000

trusted library allocation

page read and write

22CE000

stack

page read and write

31C1000

trusted library allocation

page read and write

2252000

trusted library allocation

page read and write

37D7000

trusted library allocation

page read and write

641C000

stack

page read and write

A5E000

stack

page read and write

7050000

trusted library allocation

page read and write

26C0000

trusted library allocation

page read and write

5680000

trusted library section

page readonly

3240000

trusted library allocation

page read and write

6F90000

trusted library allocation

page read and write

6F32000

trusted library allocation

page read and write

C64000

heap

page read and write

5C30000

trusted library allocation

page execute and read and write

3181000

trusted library allocation

page read and write

323A000

trusted library allocation

page read and write

15F0000

trusted library allocation

page read and write

5F38000

heap

page read and write

6F4A000

trusted library allocation

page read and write

4C1E000

stack

page read and write

37DD000

trusted library allocation

page read and write

665000

heap

page read and write

6D31000

heap

page read and write

2FE2000

trusted library allocation

page read and write

5F5C000

heap

page read and write

537000

stack

page read and write

6660000

trusted library allocation

page read and write

6120000

trusted library allocation

page read and write

77D0000

trusted library allocation

page read and write

76CE000

stack

page read and write

33EE000

stack

page read and write

311B000

trusted library allocation

page read and write

3257000

trusted library allocation

page read and write

31B3000

trusted library allocation

page read and write

273F000

trusted library allocation

page read and write

2F60000

heap

page read and write

6D25000

heap

page read and write

31F5000

trusted library allocation

page read and write

595D000

stack

page read and write

54C1000

heap

page read and write

318B000

trusted library allocation

page read and write

5510000

heap

page execute and read and write

460C000

stack

page read and write

5F3C000

heap

page read and write

3665000

trusted library allocation

page read and write

6D80000

heap

page read and write

15D2000

trusted library allocation

page read and write

8E86000

heap

page read and write

6F48000

trusted library allocation

page read and write

13A9000

heap

page read and write

E8D000

unkown

page readonly

30ED000

trusted library allocation

page read and write

60EB000

trusted library allocation

page read and write

6170000

trusted library allocation

page read and write

2A35000

trusted library allocation

page read and write

352F000

trusted library allocation

page read and write

2220000

trusted library allocation

page read and write

3500000

trusted library allocation

page read and write

34A7000

trusted library allocation

page read and write

5E2E000

stack

page read and write

60B5000

trusted library allocation

page read and write

745E000

stack

page read and write

31D6000

trusted library allocation

page read and write

322D000

trusted library allocation

page read and write

32AE000

stack

page read and write

2280000

trusted library allocation

page read and write

5E60000

heap

page read and write

12B3000

trusted library allocation

page read and write

6E49000

heap

page read and write

C0A000

heap

page read and write

12A4000

trusted library allocation

page read and write

6370000

trusted library allocation

page read and write

34AA000

trusted library allocation

page read and write

320E000

trusted library allocation

page read and write

735E000

stack

page read and write

366F000

trusted library allocation

page read and write

A66000

heap

page read and write

3550000

trusted library allocation

page read and write

2636000

trusted library allocation

page read and write

363F000

trusted library allocation

page read and write

355B000

trusted library allocation

page read and write

33AF000

stack

page read and write

364C000

trusted library allocation

page read and write

3611000

trusted library allocation

page read and write

6DFD000

heap

page read and write

760000

heap

page read and write

6390000

trusted library allocation

page read and write

3559000

trusted library allocation

page read and write

27C0000

trusted library allocation

page read and write

1680000

heap

page read and write

6D54000

heap

page read and write

786000

heap

page read and write

C0E000

heap

page read and write

2518000

trusted library allocation

page read and write

77CE000

stack

page read and write

31DA000

trusted library allocation

page read and write

6E1F000

heap

page read and write

2A40000

trusted library allocation

page read and write

6380000

trusted library allocation

page read and write

2A3B000

trusted library allocation

page read and write

709E000

stack

page read and write

365E000

trusted library allocation

page read and write

34E6000

trusted library allocation

page read and write

7CD000

stack

page read and write

35A0000

trusted library allocation

page read and write

5630000

trusted library allocation

page execute and read and write

3255000

trusted library allocation

page read and write

E8D000

unkown

page readonly

6DBE000

heap

page read and write

2F80000

trusted library allocation

page read and write

6DE9000

heap

page read and write

3546000

trusted library allocation

page read and write

30BE000

trusted library allocation

page read and write

610E000

trusted library allocation

page read and write

3259000

trusted library allocation

page read and write

6160000

trusted library allocation

page read and write

D90000

unkown

page readonly

25E0000

trusted library allocation

page read and write

2310000

heap

page read and write

5970000

heap

page read and write

36AF000

trusted library allocation

page read and write

DD0000

heap

page read and write

36A1000

trusted library allocation

page read and write

8EA3000

heap

page read and write

31D4000

trusted library allocation

page read and write

6F80000

trusted library allocation

page read and write

3539000

trusted library allocation

page read and write

56B0000

heap

page read and write

3730000

trusted library allocation

page read and write

660000

heap

page read and write

3507000

trusted library allocation

page read and write

3492000

trusted library allocation

page read and write

C00000

heap

page read and write

5EF9000

heap

page read and write

31B0000

trusted library allocation

page read and write

15D0000

trusted library allocation

page read and write

352B000

stack

page read and write

31E7000

trusted library allocation

page read and write

323E000

trusted library allocation

page read and write

12C6000

trusted library allocation

page execute and read and write

6F60000

trusted library allocation

page read and write

13AD000

heap

page read and write

3189000

trusted library allocation

page read and write

3225000

trusted library allocation

page read and write

3563000

trusted library allocation

page read and write

4BDE000

stack

page read and write

613B000

trusted library allocation

page read and write

6D41000

heap

page read and write

5570000

trusted library allocation

page execute and read and write

2A2F000

trusted library allocation

page read and write

25EA000

trusted library allocation

page read and write

117E000

stack

page read and write

2A40000

heap

page read and write

57B0000

trusted library allocation

page read and write

60F1000

trusted library allocation

page read and write

12AD000

trusted library allocation

page execute and read and write

2624000

trusted library allocation

page read and write

8E66000

heap

page read and write

D91000

unkown

page execute read

5A0000

heap

page read and write

2260000

trusted library allocation

page read and write

2879000

trusted library allocation

page read and write

6F39000

trusted library allocation

page read and write

56B3000

heap

page read and write

3741000

trusted library allocation

page read and write

2460000

heap

page execute and read and write

2603000

trusted library allocation

page read and write

374F000

trusted library allocation

page read and write

2320000

trusted library allocation

page execute and read and write

5620000

trusted library allocation

page read and write

6D65000

heap

page read and write

6F35000

trusted library allocation

page read and write

61B0000

trusted library allocation

page read and write

3747000

trusted library allocation

page read and write

257A000

trusted library allocation

page read and write

6CD000

stack

page read and write

2F90000

trusted library allocation

page read and write

4A20000

heap

page read and write

765E000

stack

page read and write

54E5000

trusted library allocation

page read and write

31F1000

trusted library allocation

page read and write

A20000

heap

page read and write

36A7000

trusted library allocation

page read and write

2FDD000

trusted library allocation

page read and write

63A0000

trusted library allocation

page read and write

167B000

stack

page read and write

36F2000

trusted library allocation

page read and write

34B0000

trusted library allocation

page read and write

8EC4000

heap

page read and write

30C2000

trusted library allocation

page read and write

37E9000

trusted library allocation

page read and write

5560000

heap

page read and write

3512000

trusted library allocation

page read and write

60A0000

trusted library allocation

page read and write

DC4000

unkown

page write copy

37B6000

trusted library allocation

page read and write

2A1C000

trusted library allocation

page read and write

60A5000

trusted library allocation

page read and write

2A0E000

trusted library allocation

page read and write

2FD6000

trusted library allocation

page read and write

31A4000

trusted library allocation

page read and write

1180000

heap

page read and write

6DB0000

heap

page read and write

2FB0000

trusted library allocation

page read and write

60B9000

trusted library allocation

page read and write

49C0000

trusted library allocation

page read and write

6E58000

heap

page read and write

76DE000

stack

page read and write

495B000

trusted library allocation

page read and write

5BAE000

stack

page read and write

2A56000

trusted library allocation

page read and write

4C40000

trusted library allocation

page read and write

6230000

trusted library allocation

page execute and read and write

36DA000

trusted library allocation

page read and write

56A0000

heap

page read and write

31BD000

trusted library allocation

page read and write

700D000

stack

page read and write

A85000

heap

page read and write

6F5A000

trusted library allocation

page read and write

3210000

trusted library allocation

page read and write

37B0000

trusted library allocation

page read and write

3698000

trusted library allocation

page read and write

6DB6000

heap

page read and write

37BA000

trusted library allocation

page read and write

163E000

stack

page read and write

6F4F000

trusted library allocation

page read and write

15CF000

stack

page read and write

6E1A000

heap

page read and write

37A9000

trusted library allocation

page read and write

61C0000

trusted library allocation

page read and write

DE0000

heap

page read and write

613E000

trusted library allocation

page read and write

11B0000

trusted library allocation

page read and write

1312000

heap

page read and write

6135000

trusted library allocation

page read and write

6DA0000

heap

page read and write

224D000

trusted library allocation

page execute and read and write

3229000

trusted library allocation

page read and write

1687000

heap

page read and write

3244000

trusted library allocation

page read and write

4954000

trusted library allocation

page read and write

4EEE000

stack

page read and write

859000

heap

page read and write

2F50000

trusted library allocation

page execute and read and write

6111000

trusted library allocation

page read and write

5F27000

heap

page read and write

2657000

trusted library allocation

page read and write

11C5000

heap

page read and write

37C6000

trusted library allocation

page read and write

12C0000

trusted library allocation

page read and write

374A000

trusted library allocation

page read and write

186000

unkown

page readonly

5C10000

trusted library allocation

page execute and read and write

65E000

stack

page read and write

4C60000

trusted library allocation

page read and write

2A23000

trusted library allocation

page read and write

3715000

trusted library allocation

page read and write

95E000

stack

page read and write

A60000

heap

page read and write

5F31000

heap

page read and write

6F20000

trusted library allocation

page read and write

4C70000

heap

page read and write

7680000

trusted library allocation

page execute and read and write

118F000

stack

page read and write

3684000

trusted library allocation

page read and write

35D0000

trusted library allocation

page read and write

368B000

trusted library allocation

page read and write

5F9D000

stack

page read and write

3247000

trusted library allocation

page read and write

6102000

trusted library allocation

page read and write

C89000

heap

page read and write

4EAE000

stack

page read and write

665C000

stack

page read and write

2240000

trusted library allocation

page read and write

6F64000

trusted library allocation

page read and write

7A3000

heap

page read and write

4A32000

trusted library allocation

page read and write

5F4E000

heap

page read and write

366A000

trusted library allocation

page read and write

3710000

trusted library allocation

page read and write

3704000

trusted library allocation

page read and write

3063000

trusted library allocation

page read and write

5AAE000

stack

page read and write

3797000

trusted library allocation

page read and write

14CF000

stack

page read and write

5C20000

heap

page read and write

15D7000

trusted library allocation

page execute and read and write

3212000

trusted library allocation

page read and write

4478000

trusted library allocation

page read and write

3238000

trusted library allocation

page read and write

4001000

trusted library allocation

page read and write

36A9000

trusted library allocation

page read and write

DB6000

unkown

page readonly

60A8000

trusted library allocation

page read and write

31E1000

trusted library allocation

page read and write

DFA000

unkown

page read and write

6240000

trusted library allocation

page execute and read and write

8E9D000

heap

page read and write

740000

heap

page read and write

3720000

trusted library allocation

page read and write

269D000

trusted library allocation

page read and write

355E000

trusted library allocation

page read and write

2FF0000

heap

page read and write

3070000

heap

page read and write

31DC000

trusted library allocation

page read and write

4E6E000

stack

page read and write

13BD000

heap

page read and write

316D000

trusted library allocation

page read and write

6F55000

trusted library allocation

page read and write

2265000

trusted library allocation

page execute and read and write

12A0000

trusted library allocation

page read and write

2267000

trusted library allocation

page execute and read and write

34B6000

trusted library allocation

page read and write

3632000

trusted library allocation

page read and write

12BD000

trusted library allocation

page execute and read and write

31C5000

trusted library allocation

page read and write

4994000

trusted library allocation

page read and write

4C48000

trusted library allocation

page read and write

3626000

trusted library allocation

page read and write

140000

unkown

page readonly

2F60000

trusted library allocation

page read and write

C33000

heap

page read and write

580C000

stack

page read and write

4A40000

trusted library allocation

page execute and read and write

6D58000

heap

page read and write

347F000

trusted library allocation

page read and write

34DA000

trusted library allocation

page read and write

73FE000

stack

page read and write

C60000

unkown

page readonly

63D0000

trusted library allocation

page execute and read and write

12D8000

heap

page read and write

318D000

trusted library allocation

page read and write

8E80000

heap

page read and write

31A6000

trusted library allocation

page read and write

3169000

trusted library allocation

page read and write

15DB000

trusted library allocation

page execute and read and write

5855000

heap

page read and write

135E000

heap

page read and write

795000

heap

page read and write

7410000

trusted library allocation

page execute and read and write

63B0000

trusted library allocation

page execute and read and write

377D000

trusted library allocation

page read and write

36B4000

trusted library allocation

page read and write

230B000

stack

page read and write

261D000

trusted library allocation

page read and write

5AE0000

heap

page read and write

2610000

trusted library allocation

page read and write

3249000

trusted library allocation

page read and write

6E2D000

heap

page read and write

3771000

trusted library allocation

page read and write

3191000

trusted library allocation

page read and write

4C30000

heap

page read and write

362C000

stack

page read and write

320C000

trusted library allocation

page read and write

6663000

trusted library allocation

page read and write

36E4000

trusted library allocation

page read and write

3130000

trusted library allocation

page read and write

6D28000

heap

page read and write

351F000

trusted library allocation

page read and write

12A3000

trusted library allocation

page execute and read and write

2F4E000

stack

page read and write

31F7000

trusted library allocation

page read and write

496E000

trusted library allocation

page read and write

8E60000

heap

page read and write

731E000

stack

page read and write

25F5000

trusted library allocation

page read and write

12DE000

heap

page read and write

2233000

trusted library allocation

page execute and read and write

755E000

stack

page read and write

322B000

trusted library allocation

page read and write

D00000

heap

page read and write

379E000

trusted library allocation

page read and write

5D2D000

stack

page read and write

6F26000

trusted library allocation

page read and write

2ECE000

stack

page read and write

6150000

trusted library allocation

page read and write

6E37000

heap

page read and write

4B90000

heap

page execute and read and write

759E000

stack

page read and write

6D5E000

heap

page read and write

B9E000

stack

page read and write

262F000

trusted library allocation

page read and write

3208000

trusted library allocation

page read and write

60B7000

trusted library allocation

page read and write

7D9000

heap

page read and write

8E91000

heap

page read and write

3230000

trusted library allocation

page read and write

264B000

trusted library allocation

page read and write

2717000

trusted library allocation

page read and write

5960000

heap

page read and write

3253000

trusted library allocation

page read and write

30CA000

trusted library allocation

page read and write

12F6000

heap

page read and write

31A2000

trusted library allocation

page read and write

2F30000

heap

page read and write

5690000

heap

page read and write

27B8000

trusted library allocation

page read and write

378A000

trusted library allocation

page read and write

5994000

heap

page read and write

1305000

heap

page read and write

7400000

trusted library allocation

page execute and read and write

768000

heap

page read and write

DB6000

unkown

page readonly

D69000

stack

page read and write

6E6B000

heap

page read and write

70DE000

stack

page read and write

2FBB000

trusted library allocation

page read and write

2234000

trusted library allocation

page read and write

5520000

trusted library allocation

page read and write

108F000

stack

page read and write

49E0000

trusted library allocation

page read and write

5E6C000

heap

page read and write

225A000

trusted library allocation

page execute and read and write

2713000

trusted library allocation

page read and write

2350000

heap

page read and write

373D000

trusted library allocation

page read and write

2340000

trusted library allocation

page read and write

5990000

heap

page read and write

34BE000

trusted library allocation

page read and write

3755000

trusted library allocation

page read and write

367A000

trusted library allocation

page read and write

3524000

trusted library allocation

page read and write

7420000

heap

page read and write

36CB000

trusted library allocation

page read and write

5650000

trusted library allocation

page read and write

25A9000

trusted library allocation

page read and write

3187000

trusted library allocation

page read and write

49B5000

trusted library allocation

page read and write

D91000

unkown

page execute read

226B000

trusted library allocation

page execute and read and write

6140000

trusted library allocation

page read and write

3691000

trusted library allocation

page read and write

30BA000

trusted library allocation

page read and write

3270000

trusted library allocation

page read and write

2F0E000

stack

page read and write

3206000

trusted library allocation

page read and write

36F9000

trusted library allocation

page read and write

2FB4000

trusted library allocation

page read and write

8EAB000

heap

page read and write

3759000

trusted library allocation

page read and write

D90000

unkown

page readonly

6F5F000

trusted library allocation

page read and write

271B000

trusted library allocation

page read and write

54E0000

trusted library allocation

page read and write

172000

unkown

page readonly

369B000

trusted library allocation

page read and write

A80000

heap

page read and write

3161000

trusted library allocation

page read and write

596E000

stack

page read and write

3519000

trusted library allocation

page read and write

10F7000

stack

page read and write

326F000

stack

page read and write

5EA6000

heap

page read and write

2A11000

trusted library allocation

page read and write

5F0F000

heap

page read and write

2F2E000

stack

page read and write

2DCE000

stack

page read and write

34A0000

trusted library allocation

page read and write

830000

heap

page read and write

3653000

trusted library allocation

page read and write

349A000

trusted library allocation

page read and write

320A000

trusted library allocation

page read and write

3194000

trusted library allocation

page read and write

655E000

stack

page read and write

590000

heap

page read and write

374C000

trusted library allocation

page read and write

31A8000

trusted library allocation

page read and write

34C3000

trusted library allocation

page read and write

617000

heap

page read and write

31DE000

trusted library allocation

page read and write

651C000

stack

page read and write

136F000

heap

page read and write

54F0000

trusted library allocation

page read and write

704E000

stack

page read and write

5F56000

heap

page read and write

60B0000

trusted library allocation

page read and write

75DE000

stack

page read and write

34B3000

trusted library allocation

page read and write

3227000

trusted library allocation

page read and write

2250000

trusted library allocation

page read and write

3117000

trusted library allocation

page read and write

2256000

trusted library allocation

page execute and read and write

60AA000

trusted library allocation

page read and write

4990000

trusted library allocation

page read and write

36D7000

trusted library allocation

page read and write

6D20000

heap

page read and write

25F7000

trusted library allocation

page read and write

353F000

trusted library allocation

page read and write

There are 589 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
file.exe