Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\njrat.exe

"C:\Users\user\Desktop\njrat.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2676
Target ID:	0
Parent PID:	2580
Name:	njrat.exe
Path:	C:\Users\user\Desktop\njrat.exe
Commandline:	"C:\Users\user\Desktop\njrat.exe"
Size:	37888
MD5:	5D383EAAF20033CF6202982B4FBA4211
Time:	11:09:12
Date:	11/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x150000
Modulesize:	65536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
May infect USB drives	Spreading	Replication Through Removable Media
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\server.exe

"C:\Windows\server.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5828
Target ID:	1
Parent PID:	2676
Name:	server.exe
Path:	C:\Windows\server.exe
Commandline:	"C:\Windows\server.exe"
Size:	37888
MD5:	5D383EAAF20033CF6202982B4FBA4211
Time:	11:09:18
Date:	11/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x8c0000
Modulesize:	65536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	332
Target ID:	3
Parent PID:	5828
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	11:09:24
Date:	11/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1560000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\server.exe

"C:\Windows\server.exe" ..

Details

Is windows:	false
Is dropped:	true
PID:	5552
Target ID:	6
Parent PID:	2580
Name:	server.exe
Path:	C:\Windows\server.exe
Commandline:	"C:\Windows\server.exe" ..
Size:	37888
MD5:	5D383EAAF20033CF6202982B4FBA4211
Time:	11:09:35
Date:	11/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x1f0000
Modulesize:	65536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\server.exe

"C:\Windows\server.exe" ..

Details

Is windows:	false
Is dropped:	true
PID:	6748
Target ID:	9
Parent PID:	2580
Name:	server.exe
Path:	C:\Windows\server.exe
Commandline:	"C:\Windows\server.exe" ..
Size:	37888
MD5:	5D383EAAF20033CF6202982B4FBA4211
Time:	11:09:43
Date:	11/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x720000
Modulesize:	65536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\server.exe

"C:\Windows\server.exe" ..

Details

Is windows:	false
Is dropped:	true
PID:	6952
Target ID:	10
Parent PID:	2580
Name:	server.exe
Path:	C:\Windows\server.exe
Commandline:	"C:\Windows\server.exe" ..
Size:	37888
MD5:	5D383EAAF20033CF6202982B4FBA4211
Time:	11:09:52
Date:	11/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x8b0000
Modulesize:	65536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\user\AppData\Local\Temp\1129210"

Details

Is windows:	true
Is dropped:	false
PID:	1144
Target ID:	11
Parent PID:	5828
Name:	vbc.exe
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\user\AppData\Local\Temp\1129210"
Size:	1173928
MD5:	D881DE17AA8F2E2C08CBB7B265F928F9
Time:	11:10:18
Date:	11/11/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	466944
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected BrowserPasswordDump Tool by SecurityXploded	Stealing of Sensitive Information
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample uses process hollowing technique	HIPS / PFW / Operating System Protection Evasion	Shared Modules Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2692
Target ID:	4
Parent PID:	332
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	11:09:24
Date:	11/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1888
Target ID:	12
Parent PID:	1144
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	11:10:18
Date:	11/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

unknown

http://hotmail.com

unknown

http://Yahoo.com

unknown

http://DynDns.com

unknown

http://hotmail.com9Software

unknown

http://www.oovoo.com/?Encrypted

unknown

http://Paltalk.com

unknown

http://go.micros

unknown

http://no-ip.com

unknown

http://www.noip.com/

unknown

http://Paltalk.com/Software

unknown

There are 1 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

51.103.213.187

unknown

United Kingdom

Details

IP:	51.103.213.187
TargetID:	1
Current Path:	C:\Windows\server.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	8075
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Details

TargetID:	0
Path:	HKEY_CURRENT_USER
Value name:	di
Value data:	!

Signature Hits	Behavior Group	Mitre Attack
Creates an autostart registry key pointing to binary in C:\Windows	Boot Survival	Registry Run Keys / Startup Folder
Creates autostart registry keys with suspicious names	Boot Survival	Registry Run Keys / Startup Folder
Tries to steal Instant Messenger accounts or passwords	Stealing of Sensitive Information	Credentials In Files Credentials in Registry
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Reads software policies	System Summary	System Information Discovery

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

495a56e87a9043e1648a2f6d33cf682f

Details

TargetID:	1
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	495a56e87a9043e1648a2f6d33cf682f
Value data:	"C:\Windows\server.exe" ..

Signature Hits	Behavior Group	Mitre Attack
Creates an autostart registry key pointing to binary in C:\Windows	Boot Survival	Registry Run Keys / Startup Folder
Creates autostart registry keys with suspicious names	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run

495a56e87a9043e1648a2f6d33cf682f

Details

TargetID:	1
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Value name:	495a56e87a9043e1648a2f6d33cf682f
Value data:	"C:\Windows\server.exe" ..

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_CURRENT_USER\SOFTWARE\495a56e87a9043e1648a2f6d33cf682f

2681e81bb4c4b3e6338ce2a456fb93a7

Details

TargetID:	1
Path:	HKEY_CURRENT_USER\SOFTWARE\495a56e87a9043e1648a2f6d33cf682f
Value name:	2681e81bb4c4b3e6338ce2a456fb93a7
Value data:	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 CE 20 A9 52 00 00 00 00 00 00 00 00 E0 00 02 21 0B 01 08 00 00 2A 00 00 00 04 00 00 00 00 00 00 DE 49 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 A0 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 49 00 00 57 00 00 00 00 60 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 E4 29 00 00 00 20 00 00 00 2A 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 72 73 72 63 00 00 00 10 00 00 00 00 60 00 00 00 02 00 00 00 2C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2E 72 65 6C 6F 63 00 00 0C 00 00 00 00 80 00 00 00 02 00 00 00 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 49 00 00 00 00 00 00 48 00 00 00 02 00 05 00 04 32 00 00 80 17 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 72 01 00 00 70 80 04 00 00 04 2A F6 02 28 01 00 00 0A 02 16 7D 03 00 00 04 02 73 02 00 00 0A 7D 05 00 00 04 02 72 0D 00 00 70 7D 06 00 00 04 02 16 7D 07 00 00 04 02 16 7D 08 00 00 04 02 73 03 00 00 0A 7D 09 00 00 04 2A 00 00 1B 30 05 00 8C 00 00 00 01 00 00 11 02 7B 05 00 00 04 0D 09 28 04 00 00 0A 73 05 00 00 0A 0B 03 8E B7 28 06 00 00 0A 72 0F 00 00 70 28 07 00 00 0A 13 04 12 04 28 05 00 00 06 0A 07 06 16 06 8E B7 6F 08 00 00 0A 07 03 16 03 8E B7 6F 08 00 00 0A 02 7B 05 00 00 04 6F 09 00 00 0A 07 6F 0A 00 00 0A 16 07 6F 0B 00 00 0A B7 16 6F 0C 00 00 0A 26 07 6F 0D 00 00 0A DE 1E 09 28 0E 00 00 0A DC DE 15 25 28 0F 00 00 0A 0C 02 17 7D 03 00 00 04 28 10 00 00 0A DE 00 2A 01 18 00 00 02 00 0D 00 60 6D 00 07 00 00 00 01 00 00 00 00 76 76 00 15 09 00 00 01 3A 02 0F 01 28 05 00 00 06 6F 03 00 00 06 2A 00 13 30 02 00 0D 00 00 00 02 00 00 11 28 11 00 00 0A 02 50 6F 12 00 00 0A 2A 00 00 00 13 30 02 00 0D 00 00 00 03 00 00 11 28 11 00 00 0A 03 50 6F 13 00 00 0A 2A 00 00 00 13 30 02 00 1A 00 00 00 04 00 00 11 02 25 FE 07 08 00 00 06 73 14 00 00 0A 73 15 00 00 0A 0A 06 6F 16 00 00 0A 2A 00 00 1B 30 05 00 6E 02 00 00 05 00 00 11 73 05 00 00 0A 0D 16 0C 15 6A 0B 17 8D 14 00 00 01 0A 02 7B 05 00 00 04 02 7B 01 00 00 04 02 7B 02 00 00 04 6F 17 00 00 0A 28 18 00 00 0A 6F 19 00 00 0A 13 0F 12 0F 28 1A 00 00 0A 13 04 1D 8D 0C 00 00 01 13 10 11 10 16 72 13 00 00 70 A2 11 10 17 7E 04 00 00 04 A2 11 10 18 02 7B 06 00 00 04 A2 11 10 19 7E 04 00 00 04 A2 11 10 1A 12 04 28 1B 00 00 0A 28 06 00 00 0A A2 11 10 1B 7E 04 00 00 04 A2 11 10 1C 12 04 28 1C 00 00 0A 28 06 00 00 0A A2 11 10 28 1D 00 00 0A 13 05 02 11 05 6F 04 00 00 06 02 25 FE 07 0A 00 00 06 73 14 00 00 0A 17 73 1E 00 00 0A 13 06 11 06 6F 16 00 00 0A 02 7B 03 00 00 04 2C 05 DD 3C 01 00 00 02 7B 05 00 00 04 6F 1F 00 00 0A 17 2F 13 02 7B 05 00 00 04 6F 09 00 00 0A 15 16 6F 20 00 00 0A 26 02 7B 05 00 00 04 6F 1F 00 00 0A 16 FE 03 39 F7 00 00 00 07 15 6A 33 74 72 0D 00 00 70 13 08 02 7B 05 00 00 04 6F 21 00 00 0A 6F 22 00 00 0A 13 07 11 07 15 33 05 DD E0 00 00 00 11 07 16 33 35 11 08 28 23 00 00 0A 0B 72 0D 00 00 70 13 08 07 16 6A 33 0E 02 72 0D 00 00 70 6F 04 00 00 06 15 6A 0B 02 7B 05 00 00 04 6F 1F 00 00 0A 16 3E 5F FF FF FF 2B 8B 11 08 11 07 28 24 00 00 0A 28 25 00 00 0A 28 07 00 00 0A 13 08 2B 93 02 7B 05 00 00 04 6F 1F 00 00 0A 17 D6 8D 14 00 00 01 0A 07 09 6F 0B 00 00 0A DA 13 0A 06 8E B7 6A 11 0A 31 0E 11 0A 17 6A DA B7 17 D6 8D 14 00 00 01 0A 02 7B 05 00 00 04 6F 09 00 00 0A 06 16 06 8E B7 16 6F 26 00 00 0A 13 09 09 06 16 11 09 6F 08 00 00 0A 09 6F 0B 00 00 0A 07 33 1B 15 6A 0B 02 09 6F 0A 00 00 0A 6F 09 00 00 06 09 6F 0D 00 00 0A 73 05 00 00 0A 0D 38 C8 FE FF FF DE 0F 25 28 0F 00 00 0A 13 0B 28 10 00 00 0A DE 00 02 17 7D 03 00 00 04 02 17 7D 08 00 00 04 02 7B 05 00 00 04 6F 09 00 00 0A 16 6F 27 00 00 0A DE 0F 25 28 0F 00 00 0A 13 0C 28 10 00 00 0A DE 00 02 7B 05 00 00 04 6F 28 00 00 0A DE 0F 25 28 0F 00 00 0A 13 0D 28 10 00 00 0A DE 00 09 6F 0D 00 00 0A DE 0F 25 28 0F 00 00 0A 13 0E 28 10 00 00 0A DE 00 2A 00 00 41 60 00 00 00 00 00 00 12 00 00 00 E9 01 00 00 FB 01 00 00 0F 00 00 00 09 00 00 01 00 00 00 00 18 02 00 00 13 00 00 00 2B 02 00 00 0F 00 00 00 09 00 00 01 00 00 00 00 3A 02 00 00 0D 00 00 00 47 02 00 00 0F 00 00 00 09 00 00 01 00 00 00 00 56 02 00 00 08 00 00 00 5E 02 00 00 0F 00 00 00 09 00 00 01 1B 30 09 00 3A 02 00 00 06 00 00 11 02 0F 01 6F 06 00 00 06 0B 07 7E 04 00 00 04 15 16 28 29 00 00 0A 0A 06 16 9A 13 04 11 04 72 1B 00 00 70 16 28 2A 00 00 0A 16 40 B0 00 00 00 02 13 05 11 05 28 04 00 00 0A 02 17 7D 08 00 00 04 2B 06 17 28 2B 00 00 0A 02 7B 07 00 00 04 2D F2 02 16 7D 08 00 00 04 02 17 7D 07 00 00 04 02 25 FE 07 0B 00 00 06 73 2C 00 00 0A 73 2D 00 00 0A 0C 08 19 8D 01 00 00 01 13 07 11 07 16 12 06 06 18 9A 72 1F 00 00 70 15 16 28 29 00 00 0A 16 9A 28 2E 00 00 0A 06 18 9A 72 1F 00 00 70 15 16 28 29 00 00 0A 17 9A 28 2E 00 00 0A 28 2F 00 00 0A 11 06 8C 04 00 00 01 A2 11 07 17 06 17 9A A2 11 07 18 06 19 9A A2 11 07 6F 30 00 00 0A DD 67 01 00 00 11 05 28 0E 00 00 0A DC DD 5A 01 00 00 11 04 72 23 00 00 70 16 28 2A 00 00 0A 16 33 33 02 13 08 11 08 28 04 00 00 0A 02 17 7D 08 00 00 04 2B 06 17 28 2B 00 00 0A 02 7B 07 00 00 04 2D F2 DD 24 01 00 00 11 08 28 0E 00 00 0A DC DD 17 01 00 00 11 04 72 29 00 00 70 16 28 2A 00 00 0A 16 33 64 06 19 9A 28 2E 00 00 0A 13 09 11 09 20 00 08 00 00 33 1D 06 19 9A 28 2E 00 00 0A 16 16 06 17 9A 28 2E 00 00 0A 17 28 0F 00 00 06 DD D7 00 00 00 12 0A 06 17 9A 28 2E 00 00 0A 06 18 9A 28 2E 00 00 0A 28 31 00 00 0A 11 0A 28 32 00 00 0A 06 19 9A 28 2E 00 00 0A 16 16 16 16 28 0F 00 00 06 DD A3 00 00 00 11 04 72 2D 00 00 70 16 28 2A 00 00 0A 16 33 27 06 18 9A 28 33 00 00 0A 06 18 9A 28 2E 00 00 0A 16 28 0E 00 00 06 B4 06 17 9A 28 2E 00 00 0A 16 28 0D 00 00 06 DE 6C 11 04 72 31 00 00 70 16 28 2A 00 00 0A 16 33 0B 02 7B 05 00 00 04 6F 28 00 00 0A DE 4F 25 28 0F 00 00 0A 0D 02 1B 8D 0C 00 00 01 13 0B 11 0B 16 72 35 00 00 70 A2 11 0B 17 7E 04 00 00 04 A2 11 0B 18 06 16 9A A2 11 0B 19 7E 04 00 00 04 A2 11 0B 1A 09 6F 34 00 00 0A A2 11 0B 28 1D 00 00 0A 6F 04 00 00 06 28 10 00 00 0A DE 00 2A 00 00 41 48 00 00 02 00 00 00 39 00 00 00 99 00 00 00 D2 00 00 00 08 00 00 00 00 00 00 01 02 00 00 00 F9 00 00 00 1C 00 00 00 15 01 00 00 08 00 00 00 00 00 00 01 00 00 00 00 17 00 00 00 D3 01 00 00 EA 01 00 00 4F 00 00 00 09 00 00 01 1B 30 05 00 45 01 00 00 07 00 00 11 16 0A 38 32 01 00 00 17 28 2B 00 00 0A 02 7B 09 00 00 04 6F 35 00 00 0A 16 FE 02 02 7B 07 00 00 04 5F 39 12 01 00 00 02 7B 05 00 00 04 13 05 11 05 28 04 00 00 0A 14 0B 02 7B 09 00 00 04 13 06 11 06 28 04 00 00 0A 2B 19 02 7B 09 00 00 04 16 6F 36 00 00 0A 0B 02 7B 09 00 00 04 16 6F 37 00 00 0A 02 7B 09 00 00 04 6F 35 00 00 0A 16 33 D9 DE 08 11 06 28 0E 00 00 0A DC 02 7B 03 00 00 04 3A AA 00 00 00 73 05 00 00 0A 0D 07 8E B7 28 06 00 00 0A 72 0F 00 00 70 28 07 00 00 0A 13 07 12 07 28 05 00 00 06 0C 09 08 16 08 8E B7 6F 08 00 00 0A 09 07 16 07 8E B7 6F 08 00 00 0A 02 7B 05 00 00 04 6F 09 00 00 0A 09 6F 0B 00 00 0A 6C 23 00 00 00 00 00 00 04 40 5A 28 38 00 00 0A B7 6F 39 00 00 0A 02 7B 05 00 00 04 6F 09 00 00 0A 15 17 6F 20 00 00 0A 26 02 7B 05 00 00 04 6F 09 00 00 0A 09 6F 0A 00 00 0A 16 09 6F 0B 00 00 0A B7 16 6F 0C 00 00 0A 26 DE 16 25 28 0F 00 00 0A 13 04 02 17 7D 03 00 00 04 28 10 00 00 0A DE 15 DE 08 11 05 28 0E 00 00 0A DC 02 7B 03 00 00 04 39 C3 FE FF FF 2A 00 00 00 01 24 00 00 02 00 47 00 2B 72 00 08 00 00 00 01 00 00 85 00 94 19 01 16 09 00 00 01 02 00 36 00 FB 31 01 08 00 00 00 01 1B 30 04 00 B4 01 00 00 08 00 00 11 03 17 8D 01 00 00 01 13 08 11 08 16 16 8C 1F 00 00 01 A2 11 08 14 28 3A 00 00 0A 25 2D 05 26 11 09 2B 0A 79 04 00 00 01 71 04 00 00 01 0C 03 17 8D 01 00 00 01 13 08 11 08 16 17 8C 1F 00 00 01 A2 11 08 14 28 3A 00 00 0A 28 3B 00 00 0A 0B 03 17 8D 01 00 00 01 13 08 11 08 16 18 8C 1F 00 00 01 A2 11 08 14 28 3A 00 00 0A 28 3C 00 00 0A 0A 08 73 11 00 00 06 0D 38 FA 00 00 00 17 28 2B 00 00 0A 02 7B 09 00 00 04 6F 35 00 00 0A 16 40 E3 00 00 00 28 22 00 00 06 13 05 11 05 2D 05 DD D3 00 00 00 73 05 00 00 0A 13 04 72 3B 00 00 70 7E 04 00 00 04 07 7E 04 00 00 04 28 3D 00 00 0A 13 06 11 04 12 06 28 05 00 00 06 16 11 06 6F 3E 00 00 0A 6F 08 00 00 0A 11 04 11 05 16 11 05 8E B7 6F 08 00 00 0A 02 7B 09 00 00 04 13 0A 11 0A 28 04 00 00 0A 02 7B 09 00 00 04 11 04 6F 0A 00 00 0A 6F 3F 00 00 0A DE 08 11 0A 28 0E 00 00 0A DC 11 04 6F 0D 00 00 0A DE 5D 25 28 0F 00 00 0A 13 07 02 1B 8D 0C 00 00 01 13 0B 11 0B 16 72 35 00 00 70 A2 11 0B 17 7E 04 00 00 04 A2 11 0B 18 72 45 00 00 70 A2 11 0B 19 7E 04 00 00 04 A2 11 0B 1A 11 07 6F 34 00 00 0A A2 11 0B 28 1D 00 00 0A 6F 04 00 00 06 20 D0 07 00 00 28 2B 00 00 0A 28 10 00 00 0A DE 00 02 7B 08 00 00 04 02 7B 03 00 00 04 60 39 F4 FE FF FF 02 7B 09 00 00 04 13 0C 11 0C 28 04 00 00 0A 02 7B 09 00 00 04 6F 40 00 00 0A DE 08 11 0C 28 0E 00 00 0A DC 02 16 7D 07 00 00 04 2A 01 24 00 00 02 00 F4 00 14 08 01 08 00 00 00 01 00 00 93 00 86 19 01 5D 09 00 00 01 02 00 97 01 0D A4 01 08 00 00 00 01 13 30 03 00 46 00 00 00 09 00 00 11 73 41 00 00 0A 0B 07 03 6F 42 00 00 0A 10 01 72 0D 00 00 70 0C 03 13 05 16 13 04 2B 1F 11 05 11 04 91 0D 08 12 03 72 55 00 00 70 28 43 00 00 0A 28 07 00 00 0A 0C 11 04 17 D6 13 04 11 04 11 05 8E B7 32 D9 08 2A 00 00 13 30 01 00 44 00 00 00 00 00 00 00 7F 0B 00 00 04 FE 15 23 00 00 01 7F 0C 00 00 04 FE 15 23 00 00 01 7F 0D 00 00 04 FE 15 23 00 00 01 73 44 00 00 0A 80 0E 00 00 04 7E 45 00 00 0A 80 10 00 00 04 1F 0A 80 11 00 00 04 1F 0A 80 12 00 00 04 2A 5E 02 28 01 00 00 0A 03 80 0A 00 00 04 7E 45 00 00 0A 80 10 00 00 04 2A 13 30 01 00 13 00 00 00 0A 00 00 11 28 18 00 00 0A 6F 19 00 00 0A 0B 12 01 28 1A 00 00 0A 2A 00 13 30 01 00 06 00 00 00 0B 00 00 11 7E 0A 00 00 04 2A 00 00 13 30 03 00 2E 00 00 00 0C 00 00 11 28 46 00 00 0A 0A 16 06 8E B7 0D 0C 2B 1A 06 08 9A 6F 47 00 00 0A 02 16 28 2A 00 00 0A 16 33 04 06 08 9A 2A 08 17 D6 0C 08 09 31 E2 14 2A 00 00 13 30 06 00 FB 00 00 00 0D 00 00 11 02 7E 10 00 00 04 28 48 00 00 0A 39 EA 00 00 00 0F 00 28 1B 00 00 0A 0F 00 28 1C 00 00 0A 20 0B 20 0E 00 73 49 00 00 0A 80 0F 00 00 04 7E 0E 00 00 04 6F 4A 00 00 0A 02 80 10 00 00 04 7F 0B 00 00 04 FE 15 23 00 00 01 7F 0C 00 00 04 FE 15 23 00 00 01 7F 0D 00 00 04 FE 15 23 00 00 01 16 7E 11 00 00 04 17 DA 0D 0A 38 86 00 00 00 16 7E 12 00 00 04 17 DA 13 04 0B 2B 70 12 02 06 6C 0F 00 28 1B 00 00 0A 6C 7E 11 00 00 04 6C 5B 5A 28 38 00 00 0A B7 07 6C 0F 00 28 1C 00 00 0A 6C 7E 12 00 00 04 6C 5B 5A 28 38 00 00 0A B7 0F 00 28 1B 00 00 0A 6C 7E 11 00 00 04 6C 5B 28 38 00 00 0A B7 0F 00 28 1C 00 00 0A 6C 7E 12 00 00 04 6C 5B 28 38 00 00 0A B7 28 4B 00 00 0A 7E 0E 00 00 04 08 6F 4C 00 00 0A 07 17 D6 0B 07 11 04 31 8B 06 17 D6 0A 06 09 3E 73 FF FF FF 2A 00 1B 30 0B 00 10 05 00 00 0E 00 00 11 28 1B 00 00 06 28 1C 00 00 06 28 1F 00 00 06 72 0D 00 00 70 13 0E 16 28 4D 00 00 0A 28 14 00 00 06 80 0B 00 00 04 7E 0B 00 00 04 28 15 00 00 06 80 0C 00 00 04 7E 0D 00 00 04 11 16 28 4E 00 00 0A 2C 35 7E 0B 00 00 04 28 1B 00 00 06 28 1C 00 00 06 13 17 12 17 28 1B 00 00 0A 28 1B 00 00 06 28 1C 00 00 06 13 18 12 18 28 1C 00 00 0A 28 16 00 00 06 80 0D 00 00 04 7E 0C 00 00 04 7E 0D 00 00 04 28 17 00 00 06 13 09 7E 0C 00 00 04 1A 28 21 00 00 06 26 7E 0C 00 00 04 16 16 28 1B 00 00 06 28 1C 00 00 06 13 18 12 18 28 1B 00 00 0A 28 1B 00 00 06 28 1C 00 00 06 13 17 12 17 28 1C 00 00 0A 7E 0B 00 00 04 16 16 28 1B 00 00 06 13 19 12 19 28 1B 00 00 0A 28 1B 00 00 06 13 1A 12 1A 28 1C 00 00 0A 20 20 00 CC 00 28 13 00 00 06 26 7E 0C 00 00 04 11 09 28 17 00 00 06 26 7E 0C 00 00 04 28 19 00 00 06 26 16 28 4D 00 00 0A 7E 0B 00 00 04 28 1A 00 00 06 26 7E 0D 00 00 04 28 4F 00 00 0A 0B 28 50 00 00

Signature Hits	Behavior Group	Mitre Attack
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry

HKEY_CURRENT_USER\SOFTWARE\495a56e87a9043e1648a2f6d33cf682f

96bbeae23f13d8b402340f54c661c049

Details

TargetID:	1
Path:	HKEY_CURRENT_USER\SOFTWARE\495a56e87a9043e1648a2f6d33cf682f
Value name:	96bbeae23f13d8b402340f54c661c049
Value data:	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 88 C1 BF 55 00 00 00 00 00 00 00 00 E0 00 02 21 0B 01 0B 00 00 B4 03 00 00 34 00 00 00 00 00 00 BE D2 03 00 00 20 00 00 00 E0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 04 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 D2 03 00 4B 00 00 00 00 00 04 00 C0 2F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 04 00 0C 00 00 00 00 E0 03 00 1C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 C4 B2 03 00 00 20 00 00 00 B4 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 73 64 61 74 61 00 00 38 01 00 00 00 E0 03 00 00 02 00 00 00 B8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 2F 00 00 00 00 04 00 00 30 00 00 00 BA 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2E 72 65 6C 6F 63 00 00 0C 00 00 00 00 40 04 00 00 02 00 00 00 EA 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 D2 03 00 00 00 00 00 48 00 00 00 02 00 05 00 E8 9F 03 00 88 32 00 00 03 00 00 00 00 00 00 00 50 20 00 00 7F 62 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7B 62 03 00 CE CA EF BE 01 00 00 00 91 00 00 00 6C 53 79 73 74 65 6D 2E 52 65 73 6F 75 72 63 65 73 2E 52 65 73 6F 75 72 63 65 52 65 61 64 65 72 2C 20 6D 73 63 6F 72 6C 69 62 2C 20 56 65 72 73 69 6F 6E 3D 32 2E 30 2E 30 2E 30 2C 20 43 75 6C 74 75 72 65 3D 6E 65 75 74 72 61 6C 2C 20 50 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 23 53 79 73 74 65 6D 2E 52 65 73 6F 75 72 63 65 73 2E 52 75 6E 74 69 6D 65 52 65 73 6F 75 72 63 65 53 65 74 02 00 00 00 04 00 00 00 00 00 00 00 50 41 44 50 41 44 50 61 13 82 82 62 13 82 82 63 13 82 82 95 72 59 00 09 00 00 00 1C 00 00 00 2F 00 00 00 00 00 00 00 16 01 00 00 04 42 00 52 00 00 00 00 00 0E 53 00 74 00 72 00 69 00 6E 00 67 00 31 00 05 60 03 00 0E 53 00 74 00 72 00 69 00 6E 00 67 00 32 00 D3 60 03 00 0E 53 00 74 00 72 00 69 00 6E 00 67 00 33 00 18 61 03 00 20 00 60 03 00 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 A8 E6 48 B3 EC 87 26 E0 EC 87 26 E0 EC 87 26 E0 72 27 E1 E0 ED 87 26 E0 1D 41 E9 E0 DA 87 26 E0 1D 41 EB E0 F0 87 26 E0 1D 41 E8 E0 78 87 26 E0 E5 FF B5 E0 E1 87 26 E0 EC 87 27 E0 71 87 26 E0 A0 40 F5 E0 E5 87 26 E0 A0 40 EF E0 ED 87 26 E0 EC 87 B1 E0 ED 87 26 E0 A0 40 EA E0 ED 87 26 E0 52 69 63 68 EC 87 26 E0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 B8 7A AA 55 00 00 00 00 00 00 00 00 E0 00 03 01 0B 01 0B 00 00 60 03 00 00 10 00 00 00 A0 03 00 E0 00 07 00 00 B0 03 00 00 10 07 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 02 00 00 00 05 00 01 00 00 00 00 00 00 20 07 00 00 10 00 00 00 00 00 00 03 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 15 07 00 B0 01 00 00 00 10 07 00 84 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 02 07 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 A0 03 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 E0 55 50 58 31 00 00 00 00 00 60 03 00 00 B0 03 00 00 54 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 E0 2E 72 73 72 63 00 00 00 00 10 00 00 00 10 07 00 00 08 00 00 00 58 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 2E 39 31 00 55 50 58 21 0D 09 08 08 29 71 38 B5 E0 EE CA 25 85 EA 06 00 DF 50 03 00 00 60 06 00 26 1A 00 DA FF FF FF FF 55 8B EC B8 74 27 00 00 E8 1A 04 61 EC A1 40 30 46 00 33 C5 89 45 FC 56 57 89 95 8C D8 FF FF 8B 4C FB BF FD D1 6A 10 59 BE B8 22 00 8D 7D B8 F3 A5 A4 8B F2 33 FF 32 98 DB FF FF D9 0A BD 94 8D 4E 01 8A 06 46 84 C0 75 F9 2B F1 8B C6 25 03 90 80 79 FE DF FE FF 05 48 83 C8 FC 40 74 07 33 C0 E9 1A 00 01 89 0C 53 33 DB 40 80 7C 32 FF 3D 0F 44 D8 DF CF 7E FF 0E FE 3D 89 9D 90 76 75 07 43 11 33 C9 89 8D A0 0E 85 F6 BB ED DB EC 0F 8E D9 82 D4 9D A4 1A F7 DB D4 8D 85 13 03 C7 78 C1 FF FF 03 C3 3B C6 7D 31 8D 04 3A 0F BE 04 08 50 8D 45 B8 50 5E 03 D7 3C 8B BF FB FB 3F 13 59 59 8D 4D B8 2A C1 8B 87 88 84 3D 65 47 83 FF 04 7C C1 2C 07 7F EF 8A 8D A5 16 8A 89 8A 95 A6 6A 8B CA 9D FD 17 30 04 80 E1 03 C0 E0 02 02 C8 38 45 88 8D 9C DF 7F D3 B4 CA 30 02 0F 04 32 C8 C0 E2 06 02 95 A7 37 9D 5D 3B 73 3F 66 8B 85 45 C9 66 89 CA A8 35 94 B8 E0 0F DC 3D AA 29 0D 83 C1 04 83 50 83 C3 04 83 FB 13 64 33 A5 3B CE 0F 8C 35 FF 44 D1 B0 13 DC E1 8B B5 A7 2B FB 57 AE 7D 50 56 1B FC FF FF EA A9 BC 83 C4 0C C6 04 3E 00 8B C7 5B 8B 4D FC 5F 33 CD 5E B7 1E C9 D9 D0 FE 8B C3 34 51 53 8B D9 8B D3 56 5E 4A CC 02 42 86 7F 2B 7E D1 8D 7A 01 38 7D FC 48 DA 01 8B F0 59 68 DB B7 A1 FB 74 66 53 57 56 1D B0 3A 0E 51 10 D9 D6 A4 10 EB FF 9B 2D DB 0B 46 1C 06 50 48 72 F1 38 06 75 04 88 03 EB 39 8B 76 C3 97 ED CE 8D 51 9A 01 41 CA 8D 7E BC F9 EB 0F 54 7E C5 FF 90 07 74 05 4F 3B FE 77 ED 56 40 FC C6 47 01 00 53 C5 1F 7C F0 B5 48 5F 5E 5B 29 81 EC 10 02 48 F7 E3 9F 0E 57 53 56 6A 06 5E 68 FC 46 BB 00 30 9F 05 61 F6 53 68 A0 81 32 69 D2 F8 FD 68 19 CD FE B5 7F 34 6A 00 68 00 8A 4A 68 48 80 FF 15 24 40 14 D8 0F 91 A6 B4 C5 85 93 E2 4A F4 0C FC 1C EE F3 94 F0 5C 28 FF B5 83 52 0C B1 97 E6 43 6A 34 74 32 63 34 D3 61 7B 81 75 23 55 6F 93 DE 3B 08 36 1B 59 10 71 64 00 A4 A2 68 71 16 A0 5E 1A 5B 45 13 F2 C1 F1 24 04 57 B8 68 D2 CC FF 07 7C F0 6A 01 50 8B FA 50 89 85 E0 FB 0A DC 82 F6 6E E7 E4 CE 88 07 8D 1F 3E D9 14 FD 64 B6 91 28 0D 12 30 41 3F 04 9B 28 32 34 A5 3E E4 1A 50 4A 2C 00 8B 8C 34 37 7A 5F 58 20 0B 55 E6 28 AA B8 8A 8B CB 74 02 12 01 D4 0A D3 A7 50 BC 3B D9 AC 84 72 D1 F9 36 B8 34 C1 43 4D AC 00 A0 7C E4 14 9E DE 3B 67 BD 84 A9 42 8D 5D 74 E8 0D F7 CD 1A 4A 02 47 C7 25 14 3E AC 38 B8 FD 6F 23 73 52 8A D8 8A 44 35 E8 02 D8 0F B6 68 57 68 3C 30 10 9C 76 9C 74 E8 CE F6 A1 59 90 ED 7B D8 67 21 5A E8 03 57 53 20 ED BF 77 20 46 83 FE 14 7C C4 6A C3 33 0C CE 10 B8 F6 6F 61 1C 50 C2 A9 C5 10 FD 30 07 C6 23 E2 81 E2 89 09 83 EC 20 03 8B 75 08 9A 26 50 AC 09 04 BE 04 E4 E0 91 6B 58 0C D0 24 E9 08 3B 7C 3C DA EB 7F 32 E4 50 54 03 D9 75 E8 D1 B6 09 69 42 20 52 36 57 53 30 E4 F3 D0 6C D2 D8 14 20 68 E0 76 EC B3 81 A1 BD 30 C7 18 10 6B 12 26 DE E7 CB 4E D5 EC 9D EB 06 95 89 1C 10 2C 38 B3 6A D1 30 A3 66 05 82 57 2B A7 C0 45 0C F2 02 BF BF 9D E1 E9 30 82 46 48 10 43 EA EE 08 00 05 C1 6A 04 59 91 69 E8 1C 8E 13 FD B2 58 5B E0 36 55 B3 EC 5D 18 90 90 5D E9 2F FE 69 27 F9 2D 1C 6A F5 D6 FC 8D 4D E4 51 50 F8 82 47 0A 4C AC 06 0F B7 48 EB 03 6A 0F 58 67 DB 4D 30 06 02 FD 56 58 8B F1 5D 83 CE 64 D6 9A CF 08 56 10 41 5E 2E 57 F9 07 6B F5 EF 1D BF 60 F6 57 F9 C7 04 24 A4 91 A8 09 4D 76 87 A0 C0 25 68 E0 1D 18 8B E7 EC 2C C1 72 69 1B 02 59 8B 24 8B 05 39 76 D8 68 38 4B 68 6C 13 7C 41 4E 72 AC 3C B8 29 C8 18 8C 39 A4 1D C3 38 8C 0B 40 2E 54 64 08 1E 1C 26 0C 3B 39 91 86 61 C3 22 F1 EF 6A C2 9D 6E 8B C4 7F 31 50 64 A1 00 FB B8 84 18 F7 C7 EB 62 95 F0 4A 74 F4 64 A3 43 0F 9E 16 60 33 DB 2C 8C E7 2E 68 54 89 5D CC F1 95 8E FC 26 F0 F0 85 F6 75 34 67 83 B1 85 EB 52 36 6C 85 47 65 8B 08 02 DD A6 58 20 51 08 5E 7C 89 0D 7F 59 DA 7B 48 85 08 7A F0 68 74 8E 56 8A F8 1A BD C8 57 F8 85 FF 75 0F 24 14 97 B1 27 F8 DA D0 95 53 00 8D 25 50 11 FF D7 A7 B9 3B 6E 36 78 D1 C6 66 01 8B BD 1F 2A 88 80 0F 6E 7A 90 0A 3E 40 00 80 96 D8 9C 8B F9 D5 5A 57 86 8D 2B 51 76 57 6E 38 AA 89 BE 6E DD 43 C3 6A 96 8E 50 45 BC DF 88 EC BE 9E 09 A2 E0 81 F2 32 BA E9 E9 6C 66 87 58 84 14 F2 95 A0 F7 45 4F AF BE 01 28 0C E2 D0 6A 10 8B FC 8D B5 2B F5 3A 30 5C A5 00 28 9A BF 64 D0 90 AB F9 7A B0 EB 57 73 E4 1C 4A D3 8D 7C 40 02 8B B5 7C BF F6 5B E0 D2 96 82 06 34 7C 0E A0 56 41 E4 C1 A6 42 3C 79 33 3B 56 BD 21 48 48 83 A6 7C 4F 69 61 0F CE 85 63 42 08 16 45 B4 00 0E 0E E4 C1 5F 90 B7 0C 03 C9 C8 93 41 84 D4 FE 84 C8 73 05 CA 90 1B 54 27 38 32 D2 5C 02 84 8B EB 83 72 F2 60 3B ED 2D 02 7E FE 78 ED 9A 87 07 C3 57 32 FB 53 95 52 EC 72 20 07 D2 1B F7 EF F3 9C 8E E7 1E FF B5 91 79 F8 90 96 87 D9 31 B7 40 29 50 E4 E7 96 E0 B5 05 34 19 E0 0B E3 52 E5 C9 83 82 14 E8 74 F5 80 D9 FD 6C CA C8 41 53 E8 80 74 D5 08 C8 73 34 11 44 11 76 3A 9C 7D E8 09 8A 5A 77 7C 1C D0 21 FE 3B 71 80 A6 FF 3B C1 73 44 8B D3 8B FB B8 FC DF F0 6F 25 8B DD 8A 04 1F 84 2C B6 C8 6A 2C 58 0F 44 C8 88 8C 15 3F 34 FD 1B EF 83 C7 02 42 3B FE 72 E3 AA 4A 7D 3B D7 90 FD 36 E1 0F 83 0F 0C 88 9C 3D EB 1B B9 78 0A 0E C8 49 76 EB 10 68 94 95 0E CC 71 08 CD 50 04 41 67 46 38 FC 6E 55 A0 36 50 88 9D 7F CE 28 C6 23 CC E3 CC D0 2A DC 51 65 86 6B 78 AD 4F F7 77 EF C4 CB 5E 6F 88 1E 2B 46 4B 31 ED E5 A0 38 30 04 90 C9 91 2F 00 28 16 A5 B6 96 68 A4 F9 10 FE FD 43 9F 77 CF E0 B0 01 F5 F0 34 E3 BE

Signature Hits	Behavior Group	Mitre Attack
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

remote allocation

page execute and read and write

2F61000

trusted library allocation

page read and write

152000

unkown

page readonly

11BF000

heap

page read and write

CF6000

stack

page read and write

12E0000

trusted library allocation

page read and write

19B000

stack

page read and write

11C0000

heap

page read and write

3781000

trusted library allocation

page read and write

124E000

heap

page read and write

11A9000

heap

page read and write

4F4E000

stack

page read and write

E00000

trusted library allocation

page read and write

FF0000

heap

page execute and read and write

10FE000

stack

page read and write

E0A000

heap

page read and write

11D3000

heap

page read and write

495E000

stack

page read and write

A22000

trusted library allocation

page execute and read and write

54C0000

trusted library allocation

page read and write

F90000

trusted library allocation

page read and write

A8B000

trusted library allocation

page execute and read and write

DE0000

trusted library allocation

page read and write

C70000

heap

page read and write

DD0000

heap

page read and write

92F000

stack

page read and write

11DE000

stack

page read and write

4069000

trusted library allocation

page read and write

6AEE000

heap

page read and write

12F0000

heap

page read and write

155E000

stack

page read and write

534F000

stack

page read and write

DB5000

heap

page read and write

9D0000

heap

page read and write

BB0000

heap

page read and write

1248000

heap

page read and write

54D0000

unclassified section

page read and write

3F31000

trusted library allocation

page read and write

9C000

stack

page read and write

11CC000

heap

page read and write

E37000

trusted library allocation

page execute and read and write

9FA000

trusted library allocation

page execute and read and write

A42000

trusted library allocation

page execute and read and write

1060000

heap

page execute and read and write

50CE000

stack

page read and write

A06000

trusted library allocation

page execute and read and write

582E000

stack

page read and write

523C000

stack

page read and write

E48000

heap

page read and write

36E0000

heap

page read and write

13FE000

stack

page read and write

11DE000

heap

page read and write

4E3E000

stack

page read and write

4F9E000

stack

page read and write

55EE000

stack

page read and write

1201000

heap

page read and write

A20000

trusted library allocation

page read and write

11C7000

heap

page read and write

11A7000

heap

page read and write

52B3000

heap

page read and write

9B5000

heap

page read and write

7BB000

stack

page read and write

11D3000

heap

page read and write

58C0000

heap

page read and write

6B8A000

heap

page read and write

59DA000

heap

page read and write

52EE000

stack

page read and write

4EF0000

trusted library allocation

page read and write

E3B000

trusted library allocation

page execute and read and write

770000

heap

page read and write

41E4000

trusted library allocation

page read and write

54EE000

stack

page read and write

51E0000

heap

page read and write

F10000

heap

page read and write

317E000

trusted library allocation

page read and write

11A4000

heap

page read and write

11C4000

heap

page read and write

49A0000

trusted library allocation

page read and write

A02000

trusted library allocation

page execute and read and write

46F000

remote allocation

page execute and read and write

11F2000

heap

page read and write

5D59000

heap

page read and write

12D0000

trusted library allocation

page execute and read and write

EEA000

heap

page read and write

739000

heap

page read and write

94F000

stack

page read and write

4163000

trusted library allocation

page read and write

59D6000

heap

page read and write

58CF000

heap

page read and write

11AA000

heap

page read and write

AF6000

stack

page read and write

59D8000

heap

page read and write

536B000

stack

page read and write

510000

heap

page read and write

242E000

stack

page read and write

480000

heap

page read and write

53C0000

heap

page read and write

9C0000

heap

page read and write

1077000

trusted library allocation

page execute and read and write

50E000

stack

page read and write

11DE000

heap

page read and write

EE0000

heap

page read and write

11D3000

heap

page read and write

11C8000

heap

page read and write

68E000

stack

page read and write

2F31000

trusted library allocation

page read and write

795000

heap

page read and write

B30000

heap

page read and write

E7E000

heap

page read and write

11DF000

heap

page read and write

10F0000

heap

page read and write

4C5E000

stack

page read and write

530000

heap

page read and write

640000

heap

page read and write

519E000

stack

page read and write

3458000

trusted library allocation

page read and write

55BF000

stack

page read and write

11CA000

heap

page read and write

BBA000

heap

page read and write

11CE000

heap

page read and write

6AF7000

heap

page read and write

11A8000

heap

page read and write

4E4E000

stack

page read and write

11D3000

heap

page read and write

E2A000

trusted library allocation

page execute and read and write

990000

heap

page execute and read and write

1247000

heap

page read and write

51F9000

stack

page read and write

DFA000

trusted library allocation

page execute and read and write

1070000

trusted library allocation

page read and write

A70000

heap

page read and write

3191000

trusted library allocation

page read and write

64B000

heap

page read and write

11F2000

heap

page read and write

11E1000

heap

page read and write

11DE000

heap

page read and write

B8F000

stack

page read and write

59D6000

heap

page read and write

56EE000

stack

page read and write

3CF1000

trusted library allocation

page read and write

5110000

heap

page read and write

11F7000

heap

page read and write

4D3E000

stack

page read and write

530C000

stack

page read and write

D70000

heap

page read and write

C75000

heap

page read and write

1201000

heap

page read and write

A4A000

trusted library allocation

page execute and read and write

119D000

heap

page read and write

F9C000

trusted library allocation

page execute and read and write

59C0000

trusted library allocation

page execute and read and write

11CE000

heap

page read and write

141E000

unkown

page read and write

A37000

trusted library allocation

page execute and read and write

11CC000

heap

page read and write

11A8000

heap

page read and write

11DD000

heap

page read and write

59CD000

heap

page read and write

4ECE000

stack

page read and write

F92000

trusted library allocation

page execute and read and write

514E000

stack

page read and write

550000

heap

page read and write

52B0000

heap

page read and write

11F7000

heap

page read and write

FFE000

stack

page read and write

50FE000

stack

page read and write

DD3000

heap

page read and write

DA0000

heap

page read and write

3F34000

trusted library allocation

page read and write

323E000

trusted library allocation

page read and write

DBE000

heap

page read and write

9F0000

heap

page read and write

5040000

heap

page read and write

48B000

stack

page read and write

D10000

trusted library allocation

page execute and read and write

9B0000

heap

page read and write

A0C000

trusted library allocation

page execute and read and write

11BF000

heap

page read and write

11E0000

heap

page read and write

71E000

heap

page read and write

11E0000

heap

page read and write

4A6E000

stack

page read and write

DF2000

trusted library allocation

page execute and read and write

119D000

heap

page read and write

125E000

stack

page read and write

12C0000

trusted library allocation

page read and write

B58000

heap

page read and write

9E0000

heap

page read and write

73E000

stack

page read and write

4AEE000

stack

page read and write

F70000

trusted library allocation

page read and write

1197000

heap

page read and write

4B5E000

stack

page read and write

6BDE000

heap

page read and write

6BB0000

heap

page read and write

A07C000

heap

page read and write

35BE000

stack

page read and write

3182000

trusted library allocation

page read and write

6A00000

heap

page read and write

46C000

remote allocation

page execute and read and write

FB2000

trusted library allocation

page execute and read and write

4F50000

heap

page read and write

1010000

heap

page read and write

F8A000

trusted library allocation

page execute and read and write

5CCC000

stack

page read and write

E2C000

trusted library allocation

page execute and read and write

517B000

stack

page read and write

4D9F000

stack

page read and write

1022000

trusted library allocation

page execute and read and write

630000

heap

page read and write

E20000

trusted library allocation

page read and write

1150000

heap

page read and write

11D3000

heap

page read and write

E40000

heap

page read and write

10E0000

trusted library allocation

page execute and read and write

A010000

heap

page read and write

11C9000

heap

page read and write

718000

heap

page read and write

10F3000

stack

page read and write

119D000

heap

page read and write

15C000

unkown

page readonly

4960000

heap

page read and write

11BD000

heap

page read and write

1198000

heap

page read and write

5F0000

heap

page read and write

2781000

trusted library allocation

page read and write

56F0000

heap

page read and write

11D8000

heap

page read and write

107B000

trusted library allocation

page execute and read and write

11D3000

heap

page read and write

5CE0000

trusted library section

page read and write

F0A000

heap

page read and write

6B13000

heap

page read and write

546C000

stack

page read and write

11C8000

heap

page read and write

740000

heap

page read and write

5D40000

trusted library section

page read and write

54BE000

stack

page read and write

11AA000

heap

page read and write

11FE000

stack

page read and write

11C5000

heap

page read and write

4920000

trusted library allocation

page read and write

102A000

trusted library allocation

page execute and read and write

1010000

trusted library allocation

page read and write

4EE0000

trusted library allocation

page execute and read and write

D60000

trusted library allocation

page read and write

B83000

heap

page read and write

A00000

trusted library allocation

page read and write

4F8E000

stack

page read and write

4ED0000

trusted library allocation

page read and write

113E000

unkown

page read and write

51CE000

stack

page read and write

4F68000

trusted library allocation

page read and write

53BD000

stack

page read and write

53D0000

heap

page read and write

40BC000

trusted library allocation

page read and write

4F9000

stack

page read and write

6BC0000

heap

page read and write

485E000

stack

page read and write

11CF000

heap

page read and write

11CA000

heap

page read and write

638000

heap

page read and write

11DE000

heap

page read and write

5E5D000

stack

page read and write

82F000

stack

page read and write

1400000

trusted library allocation

page read and write

1030000

trusted library allocation

page read and write

6BE0000

heap

page read and write

11CF000

heap

page read and write

A40000

trusted library allocation

page read and write

36BE000

stack

page read and write

B50000

heap

page read and write

10BE000

stack

page read and write

119A000

heap

page read and write

F82000

trusted library allocation

page execute and read and write

51DE000

stack

page read and write

1470000

heap

page read and write

4980000

heap

page read and write

4C9E000

stack

page read and write

7B67000

heap

page read and write

10D0000

heap

page read and write

1196000

heap

page read and write

6B2C000

heap

page read and write

318D000

trusted library allocation

page read and write

4F6000

stack

page read and write

11AC000

heap

page read and write

11D6000

heap

page read and write

401B000

trusted library allocation

page read and write

538E000

stack

page read and write

11DC000

heap

page read and write

710000

heap

page read and write

EBF000

stack

page read and write

A70000

heap

page execute and read and write

6F0000

heap

page read and write

1201000

heap

page read and write

3FC7000

trusted library allocation

page read and write

119E000

heap

page read and write

11BD000

heap

page read and write

D5E000

stack

page read and write

9C0000

heap

page read and write

11CE000

heap

page read and write

11F2000

heap

page read and write

E12000

trusted library allocation

page read and write

59D7000

heap

page read and write

11D3000

heap

page read and write

5120000

heap

page read and write

53E0000

heap

page read and write

103C000

trusted library allocation

page execute and read and write

1248000

heap

page read and write

50CE000

stack

page read and write

1243000

heap

page read and write

524E000

stack

page read and write

11C3000

heap

page read and write

1158000

heap

page read and write

90F000

stack

page read and write

59C2000

heap

page read and write

11AB000

heap

page read and write

B6E000

heap

page read and write

4C3E000

stack

page read and write

548E000

stack

page read and write

1080000

trusted library allocation

page read and write

9D0000

trusted library allocation

page read and write

3235000

trusted library allocation

page read and write

EE6000

heap

page read and write

9F6000

heap

page read and write

11E0000

heap

page read and write

60F000

heap

page read and write

FC7000

trusted library allocation

page execute and read and write

490E000

stack

page read and write

11D9000

heap

page read and write

DB0000

heap

page read and write

11D8000

heap

page read and write

CF9000

stack

page read and write

775000

heap

page read and write

A0F000

stack

page read and write

37D1000

trusted library allocation

page read and write

5D50000

heap

page read and write

4110000

trusted library allocation

page read and write

3FBA000

trusted library allocation

page read and write

D50000

heap

page read and write

1200000

heap

page read and write

11DF000

heap

page read and write

520B000

stack

page read and write

635000

heap

page read and write

6BF0000

heap

page read and write

11DE000

heap

page read and write

119B000

heap

page read and write

119B000

heap

page read and write

11C9000

heap

page read and write

11AA000

heap

page read and write

11D2000

heap

page read and write

6F0000

heap

page read and write

A32000

trusted library allocation

page execute and read and write

111F000

stack

page read and write

5F30000

trusted library allocation

page execute and read and write

1186000

heap

page read and write

74F000

heap

page read and write

11C7000

heap

page read and write

5F8000

heap

page read and write

1440000

heap

page read and write

248F000

stack

page read and write

480E000

stack

page read and write

D3E000

stack

page read and write

104E000

stack

page read and write

D7E000

stack

page read and write

625000

heap

page read and write

77B000

heap

page read and write

1247000

heap

page read and write

501E000

stack

page read and write

95A000

stack

page read and write

513C000

stack

page read and write

11DD000

heap

page read and write

A3A000

trusted library allocation

page execute and read and write

E32000

trusted library allocation

page read and write

11F7000

heap

page read and write

1189000

heap

page read and write

3784000

trusted library allocation

page read and write

DD5000

heap

page read and write

A62000

trusted library allocation

page execute and read and write

E22000

trusted library allocation

page execute and read and write

DF0000

heap

page read and write

592F000

stack

page read and write

53EF000

stack

page read and write

CF6000

stack

page read and write

11D8000

heap

page read and write

A3B000

trusted library allocation

page execute and read and write

11CE000

heap

page read and write

49C0000

trusted library allocation

page read and write

36C0000

heap

page read and write

11DE000

heap

page read and write

11D1000

heap

page read and write

12A0000

heap

page read and write

508E000

stack

page read and write

1032000

trusted library allocation

page execute and read and write

E1A000

trusted library allocation

page execute and read and write

1197000

heap

page read and write

E02000

trusted library allocation

page execute and read and write

D70000

heap

page read and write

4B30000

heap

page read and write

150000

unkown

page readonly

3288000

trusted library allocation

page read and write

11C5000

heap

page read and write

94B000

stack

page read and write

51BC000

stack

page read and write

59C2000

heap

page read and write

11A8000

heap

page read and write

145D000

stack

page read and write

11DD000

heap

page read and write

A4C000

trusted library allocation

page execute and read and write

3398000

trusted library allocation

page read and write

11A6000

heap

page read and write

FCB000

trusted library allocation

page execute and read and write

11C9000

heap

page read and write

27D1000

trusted library allocation

page read and write

DBE000

stack

page read and write

EF2000

heap

page read and write

4AAE000

stack

page read and write

59A0000

heap

page read and write

11C3000

heap

page read and write

1036000

trusted library allocation

page execute and read and write

A87000

trusted library allocation

page execute and read and write

630000

heap

page read and write

11D9000

heap

page read and write

11D5000

heap

page read and write

9D0000

heap

page read and write

1196000

heap

page read and write

1052000

trusted library allocation

page execute and read and write

DA8000

heap

page read and write

49B0000

trusted library allocation

page execute and read and write

A80000

heap

page read and write

13FF000

stack

page read and write

5B30000

heap

page read and write

B20000

heap

page read and write

A7E000

stack

page read and write

6CE000

stack

page read and write

59CB000

heap

page read and write

11CC000

heap

page read and write

5240000

trusted library allocation

page execute and read and write

EFE000

stack

page read and write

5B40000

heap

page read and write

4910000

trusted library allocation

page execute and read and write

7F9B0000

trusted library allocation

page execute and read and write

2CF1000

trusted library allocation

page read and write

4FDE000

stack

page read and write

4DCE000

stack

page read and write

9B0000

heap

page read and write

11CE000

heap

page read and write

11CA000

heap

page read and write

1171000

heap

page read and write

586000

stack

page read and write

11D7000

heap

page read and write

6BD0000

heap

page read and write

129E000

stack

page read and write

AF9000

stack

page read and write

E08000

heap

page read and write

1243000

heap

page read and write

1140000

heap

page read and write

98E000

stack

page read and write

121F000

stack

page read and write

36E6000

heap

page read and write

59C7000

heap

page read and write

11E0000

heap

page read and write

10EE000

stack

page read and write

E02000

heap

page read and write

3195000

trusted library allocation

page read and write

3F61000

trusted library allocation

page read and write

AD0000

heap

page read and write

5B60000

heap

page read and write

59D6000

heap

page read and write

11D3000

heap

page read and write

D90000

heap

page read and write

11BD000

heap

page read and write

1EB000

stack

page read and write

1090000

heap

page execute and read and write

F96000

trusted library allocation

page execute and read and write

6AE0000

heap

page read and write

1198000

heap

page read and write

10DC000

stack

page read and write

124A000

heap

page read and write

ACE000

stack

page read and write

3CF4000

trusted library allocation

page read and write

5E60000

trusted library allocation

page read and write

515E000

stack

page read and write

11D7000

heap

page read and write

D7B000

stack

page read and write

CF9000

stack

page read and write

A000000

heap

page read and write

E17000

trusted library allocation

page execute and read and write

4050000

trusted library allocation

page read and write

5CD0000

trusted library section

page read and write

11DE000

heap

page read and write

9F2000

trusted library allocation

page execute and read and write

4CE000

stack

page read and write

65B000

heap

page read and write

1245000

heap

page read and write

124E000

heap

page read and write

192000

stack

page read and write

124C000

heap

page read and write

11C4000

heap

page read and write

E4E000

heap

page read and write

There are 490 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
njrat.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportnjrat.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
njrat.exe