Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.971372283511289
Filename:	file.exe
Filesize:	2066432
MD5:	ea2954e7fc00520a5300e72edea11b0f
SHA1:	cb9c5443999a5f62e83bb03756f8e1a8bcbefdb1
SHA256:	ae939c4c31af5fc5e66e5f991239949a572f3af905118ae2f94fdf6dd080bc01
SHA512:	a1b5085f270b46c7eac939c2b635d861513874aea797124410bdf8538a824fb5203532ed676b9cc2bc12868efb3d4e9509af2d2a3942608a9dcf997b435f408a
SSDEEP:	24576:H4VJRQQ6MczUMPwjgagC2lsJCC3jDlE4j7xOi5WX0rB7uivDX/CYzQ84GpxkFScs:HMPDJ1jgxs5lPjtzWcB1PHytJuu
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z..........."...0..N...........~... ........@.. .......................`............`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection	Windows Management Instrumentation
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary	Access Token Manipulation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains functionality to call native functions	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Masquerading Virtualization/Sandbox Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Program Files\RDP Wrapper\rdpwrap.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Program Files\RDP Wrapper\rdpwrap.dll
Category:	dropped
Dump:	rdpwrap.dll.10.dr
ID:	dr_5
Target ID:	10
Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy:	5.884975745255681
Encrypted:	false
Ssdeep:	3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
Size:	116736
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates a directory in C:\Program Files	Compliance, System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Category:	dropped
Dump:	file.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	CSV text
Entropy:	5.345181606725495
Encrypted:	false
Ssdeep:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeBE4D2c/sXE4qdKm:MxHKlYHKh3oPtHo6hAHKzeBHCHHA
Size:	1298
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\RDPWInst.exe

PE32 executable (console) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
Category:	modified
Dump:	RDPWInst.exe.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.646511331349125
Encrypted:	false
Ssdeep:	24576:+rKxoVT2iXc+IZP+6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:vHZGpdqYH8ia6GcKuR7
Size:	1785344
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Allows multiple concurrent remote connection	Remote Access Functionality	Remote Desktop Protocol
Enables remote desktop connection	Remote Access Functionality	Remote Desktop Protocol
Machine Learning detection for dropped file	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sigma detected: RDP Sensitive Settings Changed	System Summary
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Yara detected RDPWrap Tool	Networking
Contains functionality to enumerate running services	Malware Analysis System Evasion	System Service Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Enables debug privileges	Anti Debugging
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Modifies existing windows services	Boot Survival	Windows Service
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to modify services (start/stop/modify)	System Summary	Windows Service Service Execution
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to start windows services	Boot Survival	Service Execution
Creates files inside the program directory	System Summary	Masquerading
Creates temporary files	System Summary
Detected Delphi use of System.ParamCount	System Summary
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Writes ini files	System Summary	File and Directory Discovery
Creates a directory in C:\Program Files	Compliance, System Summary	Masquerading

C:\Program Files\RDP Wrapper\rdpwrap.ini

Generic INItialization configuration [SLPolicy]

dropped

Details

File:	C:\Program Files\RDP Wrapper\rdpwrap.ini
Category:	dropped
Dump:	rdpwrap.ini.10.dr
ID:	dr_4
Target ID:	10
Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
Type:	Generic INItialization configuration [SLPolicy]
Entropy:	5.4496544667416975
Encrypted:	false
Ssdeep:	768:DUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7Y:TJGYS33L+MUIiG4IvREWddadl/Fy/k9c
Size:	443552
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Writes ini files	System Summary	File and Directory Discovery
Creates a directory in C:\Program Files	Compliance, System Summary	Masquerading

C:\Windows\System32\rfxvmt.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

Details

File:	C:\Windows\System32\rfxvmt.dll
Category:	dropped
Dump:	rfxvmt.dll.10.dr
ID:	dr_6
Target ID:	10
Process:	C:\Users\user\AppData\Local\Temp\RDPWInst.exe
Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy:	5.7181012847214445
Encrypted:	false
Ssdeep:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
Size:	37376
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.35.dr
ID:	dr_8
Target ID:	35
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	2.2359263506290326
Encrypted:	false
Ssdeep:	3:t:t
Size:	7
Whitelisted:	false
Reputation:	timeout

\Device\Mup\585948*\MAILSLOT\NET\NETLOGON

data

dropped

Details

File:	\Device\Mup\585948*\MAILSLOT\NET\NETLOGON
Category:	dropped
Dump:	NETLOGON.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	data
Entropy:	3.6075632069840315
Encrypted:	false
Ssdeep:	3:upLfVI2Y1AnVJulLn:up2GjqLn
Size:	64
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "AllowRemoteRPC" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "AllowRemoteRPC" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRemoteDesktop" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRemoteDesktop" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i

C:\Users\user\AppData\Local\Temp\RDPWInst.exe

C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i

C:\Windows\System32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c net user BoydKrajcik hDNQhfjKM9S0 /add

C:\Windows\SysWOW64\net.exe

net user BoydKrajcik hDNQhfjKM9S0 /add

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c net localgroup

C:\Windows\SysWOW64\net.exe

net localgroup

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c net localgroup "Remote Desktop Users" BoydKrajcik /add

C:\Windows\SysWOW64\net.exe

net localgroup "Remote Desktop Users" BoydKrajcik /add

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c net localgroup "Administrators" BoydKrajcik /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administrators" BoydKrajcik /add

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\drivers\rdpvideominiport.sys

C:\Windows\System32\drivers\rdpdr.sys

C:\Windows\System32\drivers\tsusbhub.sys

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user BoydKrajcik hDNQhfjKM9S0 /add

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Remote Desktop Users" BoydKrajcik /add

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administrators" BoydKrajcik /add

There are 23 hidden processes, click here to show them.

URLs

Name

Malicious

https://github.com/bchavez/Bogus.

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe

147.45.44.104

http://api.ipify.orgd

unknown

https://github.com/bchavez/Bogus/issues/54

unknown

https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU

unknown

http://schemas.xmlsoap.org/soap/encoding/

unknown

http://www.apache.org/licenses/

unknown

https://cloudflare-ipfs.com/ipfs/Qmd3W5DuhgHirLHGVixi6V76LhCkZUz6pnFt5AJBiyvHye/avatar/

unknown

https://github.com/lontivero/Open.Nat/issuesOAlso

unknown

https://loremflickr.com

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini

unknown

http://hansgborn.eud

unknown

https://picsum.photos

unknown

https://placeimg.com

unknown

https://hansgborn.eu

unknown

https://github.com/bchavez/Bogus/issues/115

unknown

http://api.ipify.org

unknown

http://stascorp.com/load/1-1-0-62

unknown

http://stascorp.comDVarFileInfo$

unknown

https://github.com/bchavez/Bogus/wiki/Bogus-Premium

unknown

http://hansgborn.eu

unknown

https://github.com/bchavez/Bogus

unknown

https://via.placeholder.com/

unknown

https://hansgborn.eu/core/receive.phpd

unknown

https://hansgborn.eu/core/receive.php

188.114.97.3

http://api.ipify.org/

104.26.12.205

http://147.45.44.104

unknown

https://github.com/bchavez/Bogus:

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

There are 21 hidden URLs, click here to show them.

Domains

Name

Malicious

hansgborn.eu

188.114.97.3

Details

Name:	hansgborn.eu
IP:	188.114.97.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

api.ipify.org

104.26.12.205

Details

Name:	api.ipify.org
IP:	104.26.12.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

8.46.123.33

unknown

United States

Details

IP:	8.46.123.33
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	62713
ASN name:	AS-PUBMATICUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Outbound RDP Connections Over Non-Standard Tools	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

104.26.12.205

api.ipify.org

United States

Details

IP:	104.26.12.205
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

239.255.255.250

unknown

Reserved

188.114.97.3

hansgborn.eu

European Union

Details

IP:	188.114.97.3
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	hansgborn.eu

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

147.45.44.104

unknown

Russian Federation

Details

IP:	147.45.44.104
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core

EnableConcurrentSessions

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters

ServiceDll

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server

fDenyTSConnections

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\file_RASMANCS

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

AllowRemoteRPC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

DisableRemoteDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

AllowMultipleTSSessions

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{81c87465-de07-4efc-9d93-61e891d52fd2}

Class

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{81c87465-de07-4efc-9d93-61e891d52fd2}

NoDisplayClass

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{81c87465-de07-4efc-9d93-61e891d52fd2}

NoUseClass

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{81c87465-de07-4efc-9d93-61e891d52fd2}\Properties

Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}

Class

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}

NoDisplayClass

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}

NoUseClass

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}\Properties

Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}

Class

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}

NoDisplayClass

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}

NoUseClass

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}\Properties

Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}\Properties

Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf

WdfMajorVersion

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf

WdfMinorVersion

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{191a5137-7c9d-43c0-a943-de4411f424f7}\##?#TS_USB_HUB_Enumerator#UMB#2&30d3618&0&TS_USB_HUB#{191a5137-7c9d-43c0-a943-de4411f424f7}

DeviceInstance

There are 27 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

450000

unkown

page readonly

450000

unkown

page readonly

32D1000

trusted library allocation

page read and write

C62000

unkown

page execute read

D4A000

unkown

page readonly

67D000

stack

page read and write

69EC000

heap

page read and write

35A4000

trusted library allocation

page read and write

B0E000

direct allocation

page read and write

2E82000

heap

page read and write

154D000

trusted library allocation

page execute and read and write

670E000

stack

page read and write

2370000

heap

page read and write

3B4E000

trusted library allocation

page read and write

2830000

heap

page read and write

296E000

unkown

page read and write

628E000

stack

page read and write

2A9F000

stack

page read and write

29EF000

stack

page read and write

258D000

stack

page read and write

2FEF000

stack

page read and write

717C000

stack

page read and write

15A0000

trusted library allocation

page read and write

2F60000

heap

page read and write

6E0000

heap

page read and write

3240000

heap

page read and write

2970000

heap

page read and write

3618000

trusted library allocation

page read and write

B00000

direct allocation

page read and write

6DE000

stack

page read and write

2FAE000

stack

page read and write

2A1C000

heap

page read and write

69DC000

heap

page read and write

2C10000

heap

page read and write

258D000

stack

page read and write

2E85000

heap

page read and write

BC0000

heap

page read and write

410000

heap

page read and write

1560000

trusted library allocation

page read and write

2EBD000

stack

page read and write

250D000

stack

page read and write

FF6B0000

trusted library allocation

page execute and read and write

FDC000

stack

page read and write

2DA0000

heap

page read and write

3652000

trusted library allocation

page read and write

343F000

stack

page read and write

2F3D000

stack

page read and write

6DBE000

stack

page read and write

29B0000

heap

page read and write

30AE000

unkown

page read and write

4FD000

stack

page read and write

6CE000

stack

page read and write

7FDE0000

direct allocation

page read and write

B15000

direct allocation

page read and write

1450000

heap

page read and write

28BE000

stack

page read and write

31A0000

heap

page read and write

2B88000

heap

page read and write

780000

heap

page read and write

2CFD000

stack

page read and write

1F0000

heap

page read and write

3220000

trusted library allocation

page read and write

2B00000

heap

page read and write

290E000

stack

page read and write

36D6000

trusted library allocation

page read and write

5770000

trusted library section

page read and write

2DD3000

heap

page read and write

780000

heap

page read and write

31D0000

heap

page read and write

2C55000

heap

page read and write

688E000

stack

page read and write

44B000

unkown

page read and write

59C000

heap

page read and write

351F000

trusted library allocation

page read and write

6A2A000

heap

page read and write

2EFD000

stack

page read and write

2DE8000

heap

page read and write

3200000

heap

page read and write

630F000

stack

page read and write

36DF000

stack

page read and write

6A90000

heap

page read and write

530000

heap

page read and write

68D000

stack

page read and write

1877000

heap

page read and write

184C000

stack

page read and write

700000

heap

page read and write

6F0000

heap

page read and write

29BE000

stack

page read and write

3080000

heap

page read and write

1550000

trusted library allocation

page read and write

2E6B000

heap

page read and write

359A000

trusted library allocation

page read and write

850000

heap

page read and write

19B000

stack

page read and write

6D0000

heap

page read and write

B6D000

stack

page read and write

6A30000

heap

page read and write

2E60000

heap

page read and write

2DAE000

stack

page read and write

93E000

stack

page read and write

3622000

trusted library allocation

page read and write

33C0000

heap

page read and write

2F90000

heap

page read and write

2DBF000

stack

page read and write

760000

heap

page read and write

2DB0000

heap

page read and write

8F0000

heap

page read and write

3380000

heap

page read and write

2958000

heap

page read and write

2ED000

stack

page read and write

292E000

stack

page read and write

2AC0000

heap

page read and write

29CE000

unkown

page read and write

1562000

trusted library allocation

page read and write

3260000

heap

page read and write

AED000

stack

page read and write

2C1E000

stack

page read and write

2B80000

heap

page read and write

330E000

stack

page read and write

361E000

trusted library allocation

page read and write

6AE000

stack

page read and write

B4F000

direct allocation

page read and write

3591000

trusted library allocation

page read and write

2390000

heap

page read and write

35DE000

trusted library allocation

page read and write

8E0000

heap

page read and write

322D000

heap

page read and write

1556000

trusted library allocation

page execute and read and write

6C7E000

stack

page read and write

B1C000

direct allocation

page read and write

2C0F000

unkown

page read and write

3375000

heap

page read and write

2DE0000

heap

page read and write

43ED000

trusted library allocation

page read and write

305F000

unkown

page read and write

678E000

stack

page read and write

78E000

stack

page read and write

18D000

stack

page read and write

84F000

stack

page read and write

25F0000

heap

page read and write

2E84000

heap

page read and write

1455000

heap

page read and write

69D0000

heap

page read and write

1540000

trusted library allocation

page read and write

307F000

stack

page read and write

673000

heap

page read and write

2DE5000

heap

page read and write

5C4F000

stack

page read and write

3370000

heap

page read and write

B48000

direct allocation

page read and write

2E86000

heap

page read and write

2720000

heap

page read and write

600F000

stack

page read and write

53E000

stack

page read and write

2850000

heap

page read and write

7A30000

heap

page execute and read and write

5B3000

heap

page read and write

445000

unkown

page write copy

1639000

heap

page read and write

2DE0000

heap

page read and write

604E000

stack

page read and write

2471000

direct allocation

page read and write

4FD000

stack

page read and write

64DE000

stack

page read and write

2B4F000

stack

page read and write

298E000

stack

page read and write

57E000

unkown

page read and write

2480000

direct allocation

page read and write

2D3E000

stack

page read and write

29FE000

stack

page read and write

44C000

unkown

page write copy

5B2000

heap

page read and write

367A000

trusted library allocation

page read and write

364A000

trusted library allocation

page read and write

B2B000

direct allocation

page read and write

5C0000

heap

page read and write

32C0000

heap

page read and write

33B0000

heap

page read and write

2AEE000

stack

page read and write

69E7000

heap

page read and write

8FF000

stack

page read and write

14DE000

stack

page read and write

72BD000

stack

page read and write

69E3000

heap

page read and write

410000

heap

page read and write

6B30000

heap

page read and write

62E000

stack

page read and write

33C7000

heap

page read and write

671000

heap

page read and write

5B5000

heap

page read and write

2750000

heap

page read and write

9AF000

stack

page read and write

2380000

heap

page read and write

12F7000

stack

page read and write

72E0000

trusted library allocation

page execute and read and write

3656000

trusted library allocation

page read and write

5DCE000

stack

page read and write

72C0000

trusted library allocation

page read and write

360C000

trusted library allocation

page read and write

1D0000

heap

page read and write

17BE000

stack

page read and write

2950000

heap

page read and write

3320000

heap

page read and write

3675000

trusted library allocation

page read and write

15C0000

heap

page read and write

359F000

unkown

page read and write

614E000

stack

page read and write

2CFD000

stack

page read and write

590000

heap

page read and write

355F000

trusted library allocation

page read and write

61E000

unkown

page read and write

401000

unkown

page execute read

2A10000

heap

page read and write

2EC0000

heap

page read and write

2710000

heap

page read and write

3373000

trusted library allocation

page read and write

A77000

direct allocation

page read and write

15DF000

heap

page read and write

6A01000

heap

page read and write

33AC000

heap

page read and write

309F000

unkown

page read and write

446000

unkown

page write copy

293E000

stack

page read and write

2DE0000

heap

page read and write

2ABE000

stack

page read and write

71BE000

stack

page read and write

33C5000

heap

page read and write

3561000

trusted library allocation

page read and write

36D2000

trusted library allocation

page read and write

36AD000

trusted library allocation

page read and write

725000

heap

page read and write

36B1000

trusted library allocation

page read and write

320C000

heap

page read and write

291D000

stack

page read and write

35D3000

trusted library allocation

page read and write

6FE000

stack

page read and write

77F000

stack

page read and write

3200000

heap

page read and write

3B4C000

trusted library allocation

page read and write

62CE000

stack

page read and write

366E000

trusted library allocation

page read and write

15F5000

heap

page read and write

2980000

heap

page read and write

42D1000

trusted library allocation

page read and write

17FE000

stack

page read and write

315F000

stack

page read and write

420000

heap

page read and write

35D9000

trusted library allocation

page read and write

1800000

heap

page execute and read and write

1530000

heap

page read and write

305F000

unkown

page read and write

2C20000

heap

page read and write

5760000

trusted library allocation

page execute and read and write

3784000

trusted library allocation

page read and write

6B20000

heap

page read and write

400000

unkown

page readonly

1691000

heap

page read and write

2C50000

heap

page read and write

2C70000

heap

page read and write

2A34000

heap

page read and write

B39000

direct allocation

page read and write

2E81000

heap

page read and write

2E60000

heap

page read and write

361C000

trusted library allocation

page read and write

675000

heap

page read and write

401000

unkown

page execute read

400000

unkown

page readonly

6DFD000

stack

page read and write

2DB0000

heap

page read and write

241C000

direct allocation

page read and write

29FE000

unkown

page read and write

618E000

stack

page read and write

35D1000

trusted library allocation

page read and write

337E000

unkown

page read and write

447000

unkown

page read and write

36D4000

trusted library allocation

page read and write

2CFD000

stack

page read and write

2CFF000

stack

page read and write

149E000

stack

page read and write

29FE000

stack

page read and write

5C8E000

stack

page read and write

580000

heap

page read and write

6C39000

stack

page read and write

355D000

trusted library allocation

page read and write

311E000

stack

page read and write

291D000

stack

page read and write

420000

heap

page read and write

32A0000

trusted library allocation

page read and write

2DFE000

stack

page read and write

2A7E000

stack

page read and write

2FF0000

heap

page read and write

6B0000

heap

page read and write

3585000

trusted library allocation

page read and write

1524000

trusted library allocation

page read and write

15CE000

heap

page read and write

2E83000

heap

page read and write

A6F000

stack

page read and write

2ABD000

stack

page read and write

500000

heap

page read and write

36A0000

trusted library allocation

page read and write

1870000

heap

page read and write

548000

heap

page read and write

3160000

heap

page read and write

6A8E000

heap

page read and write

690000

heap

page read and write

355B000

trusted library allocation

page read and write

2E6C000

heap

page read and write

3521000

trusted library allocation

page read and write

2411000

direct allocation

page read and write

8E5000

heap

page read and write

263D000

stack

page read and write

651E000

stack

page read and write

6BA000

heap

page read and write

1552000

trusted library allocation

page read and write

B81000

direct allocation

page read and write

634E000

stack

page read and write

2E3D000

stack

page read and write

A54000

direct allocation

page read and write

1523000

trusted library allocation

page execute and read and write

358D000

trusted library allocation

page read and write

3672000

trusted library allocation

page read and write

2A10000

heap

page read and write

427000

heap

page read and write

A50000

direct allocation

page read and write

35C6000

trusted library allocation

page read and write

336F000

stack

page read and write

1537000

heap

page read and write

2DD5000

heap

page read and write

23B0000

heap

page read and write

6B0000

heap

page read and write

2395000

heap

page read and write

28EF000

unkown

page read and write

29BE000

unkown

page read and write

700000

heap

page read and write

152D000

trusted library allocation

page execute and read and write

3654000

trusted library allocation

page read and write

23FE000

stack

page read and write

2990000

heap

page read and write

7A1E000

stack

page read and write

365A000

trusted library allocation

page read and write

16B9000

heap

page read and write

358B000

trusted library allocation

page read and write

35DE000

stack

page read and write

3662000

trusted library allocation

page read and write

AF8000

direct allocation

page read and write

19D000

stack

page read and write

25CD000

stack

page read and write

3616000

trusted library allocation

page read and write

3658000

trusted library allocation

page read and write

363A000

trusted library allocation

page read and write

155A000

trusted library allocation

page execute and read and write

33C1000

heap

page read and write

7CE000

stack

page read and write

78D000

stack

page read and write

B32000

direct allocation

page read and write

B88000

direct allocation

page read and write

365C000

trusted library allocation

page read and write

1420000

heap

page read and write

1AD000

stack

page read and write

2980000

heap

page read and write

C60000

unkown

page readonly

1CD000

stack

page read and write

707E000

stack

page read and write

3589000

trusted library allocation

page read and write

7FE000

stack

page read and write

33A0000

heap

page read and write

3627000

trusted library allocation

page read and write

365E000

trusted library allocation

page read and write

69D6000

heap

page read and write

1340000

heap

page read and write

7A20000

trusted library allocation

page read and write

2D3E000

stack

page read and write

3650000

trusted library allocation

page read and write

7FC20000

direct allocation

page read and write

3AD000

stack

page read and write

660D000

stack

page read and write

6BE000

heap

page read and write

2E0E000

stack

page read and write

2DBC000

heap

page read and write

35D6000

trusted library allocation

page read and write

29D0000

heap

page read and write

30B0000

heap

page read and write

35C9000

trusted library allocation

page read and write

6CBE000

stack

page read and write

B07000

direct allocation

page read and write

703C000

stack

page read and write

A3F000

stack

page read and write

7FD70000

direct allocation

page read and write

15C8000

heap

page read and write

7A40000

trusted library section

page read and write

2748000

heap

page read and write

77F000

stack

page read and write

5B4D000

stack

page read and write

540000

heap

page read and write

333E000

stack

page read and write

315F000

stack

page read and write

6A0D000

heap

page read and write

720000

heap

page read and write

3624000

trusted library allocation

page read and write

12D000

stack

page read and write

3587000

trusted library allocation

page read and write

30D0000

heap

page read and write

2970000

heap

page read and write

35E0000

heap

page read and write

2990000

heap

page read and write

649E000

unkown

page read and write

33B8000

heap

page read and write

1510000

trusted library allocation

page read and write

44D000

unkown

page write copy

6EFB000

stack

page read and write

14E0000

heap

page read and write

620000

heap

page read and write

31DF000

unkown

page read and write

26BD000

stack

page read and write

2730000

heap

page read and write

29BF000

unkown

page read and write

6A34000

heap

page read and write

9C000

stack

page read and write

5ECE000

stack

page read and write

650000

heap

page read and write

290D000

stack

page read and write

9EE000

stack

page read and write

3660000

trusted library allocation

page read and write

1567000

trusted library allocation

page execute and read and write

3750000

heap

page read and write

6A0000

heap

page read and write

6A47000

heap

page read and write

243B000

direct allocation

page read and write

319F000

stack

page read and write

6FE000

stack

page read and write

35EC000

trusted library allocation

page read and write

26D000

stack

page read and write

270E000

stack

page read and write

2AC5000

heap

page read and write

2E20000

heap

page read and write

69F9000

heap

page read and write

53CD000

stack

page read and write

2880000

heap

page read and write

286E000

stack

page read and write

2888000

heap

page read and write

65B000

heap

page read and write

11D000

stack

page read and write

5F0E000

stack

page read and write

644E000

stack

page read and write

1520000

trusted library allocation

page read and write

2AA0000

heap

page read and write

2A32000

heap

page read and write

2D2E000

stack

page read and write

1850000

trusted library allocation

page read and write

65CC000

stack

page read and write

7FD00000

direct allocation

page read and write

15B0000

trusted library allocation

page read and write

287E000

stack

page read and write

1580000

trusted library allocation

page read and write

2B2F000

stack

page read and write

BD0000

heap

page read and write

156B000

trusted library allocation

page execute and read and write

4442000

trusted library allocation

page read and write

35CB000

trusted library allocation

page read and write

575E000

stack

page read and write

358F000

trusted library allocation

page read and write

6BE000

stack

page read and write

2ECD000

stack

page read and write

6F3E000

stack

page read and write

3620000

trusted library allocation

page read and write

2FCD000

stack

page read and write

768000

heap

page read and write

29C0000

heap

page read and write

2C30000

heap

page read and write

23A0000

heap

page read and write

35E8000

trusted library allocation

page read and write

1602000

heap

page read and write

29A0000

heap

page read and write

445000

unkown

page read and write

5D8E000

stack

page read and write

2A3D000

stack

page read and write

28EF000

stack

page read and write

321E000

stack

page read and write

2D0F000

stack

page read and write

29B0000

heap

page read and write

35DB000

trusted library allocation

page read and write

3230000

heap

page read and write

2E60000

heap

page read and write

7781000

trusted library allocation

page read and write

7B0000

heap

page read and write

1590000

trusted library allocation

page execute and read and write

2DD0000

heap

page read and write

8F5000

heap

page read and write

3688000

trusted library allocation

page read and write

16BE000

heap

page read and write

2740000

heap

page read and write

35CE000

trusted library allocation

page read and write

3682000

trusted library allocation

page read and write

2DD1000

heap

page read and write

357F000

trusted library allocation

page read and write

2980000

heap

page read and write

There are 486 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe