Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

z81zEuzkJPHHV3KYua.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.829230310237872
Filename:	z81zEuzkJPHHV3KYua.exe
Filesize:	768000
MD5:	1b4a6383c2a9b4fd9d1c2ba270800a49
SHA1:	ae5c4b7b0a37b4d1c8b65d13417257b29cd2188e
SHA256:	cd60ea86b574b6b511ce6a6aff1314ce71b1953e169792e3e76a36913e85ea23
SHA512:	7374bff7a913c972156a802096c57b91be8072362dc150dfb0e0e6ad3c0808774a029f1f98f0004c86b0d4b2b76e95fce6811579b67c03cc15f5bee1b004ce6b
SSDEEP:	12288:Wq3wtfRzxWW8wNaTP+/CsM/b63zsWhvb2QlT1u3UqOsOJZUowJ9oIfSF:WqMpzxWnXPWCsM/bCXhvSQ3JZUjwIfS
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g..............0.................. ........@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)	Anti Debugging
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z81zEuzkJPHHV3KYua.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z81zEuzkJPHHV3KYua.exe.log
Category:	dropped
Dump:	z81zEuzkJPHHV3KYua.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.1.dr
ID:	dr_5
Target ID:	1
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.378486415808052
Encrypted:	false
Ssdeep:	48:fWSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMuge//ZSUyus:fLHxcIalLgZ2KRHWLOug0s
Size:	2232
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0dbsulo.u3m.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0dbsulo.u3m.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_d0dbsulo.u3m.psm1.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qsxq2hny.2fm.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qsxq2hny.2fm.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_qsxq2hny.2fm.ps1.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgzowy5q.hul.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgzowy5q.hul.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_sgzowy5q.hul.ps1.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y42fq5rc.dbl.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y42fq5rc.dbl.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_y42fq5rc.dbl.psm1.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe

"C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7404
Target ID:	0
Parent PID:	2580
Name:	z81zEuzkJPHHV3KYua.exe
Path:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Commandline:	"C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"
Size:	768000
MD5:	1B4A6383C2A9B4FD9D1C2BA270800A49
Time:	10:31:57
Date:	21/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x590000
Modulesize:	794624
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Machine Learning detection for sample	AV Detection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7468
Target ID:	1
Parent PID:	7404
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"
Size:	433152
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Time:	10:31:58
Date:	21/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x210000
Modulesize:	446464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe

"C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7476
Target ID:	2
Parent PID:	7404
Name:	z81zEuzkJPHHV3KYua.exe
Path:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Commandline:	"C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"
Size:	768000
MD5:	1B4A6383C2A9B4FD9D1C2BA270800A49
Time:	10:31:58
Date:	21/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa10000
Modulesize:	794624
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Machine Learning detection for sample	AV Detection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7484
Target ID:	3
Parent PID:	7468
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:31:58
Date:	21/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wbem\WmiPrvSE.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	7736
Target ID:	4
Parent PID:	752
Name:	WmiPrvSE.exe
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Size:	496640
MD5:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Time:	10:32:00
Date:	21/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	true
Modulebase:	0x7ff693ab0000
Modulesize:	516096
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Source:	z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://mail.apexrnun.com

unknown

http://r11.o.lencr.org0#

unknown

Details

Name:	http://r11.o.lencr.org0#
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Source:	z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Source:	z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1697345336.0000000002A03000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.c.lencr.org/0

unknown

Details

Name:	http://x1.c.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Source:	z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.i.lencr.org/0

unknown

Details

Name:	http://x1.i.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Source:	z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://r11.i.lencr.org/02

unknown

Details

Name:	http://r11.i.lencr.org/02
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Source:	z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ip-api.com/line/?fields=hosting

208.95.112.1

Details

Name:	http://ip-api.com/line/?fields=hosting
IP:	208.95.112.1
TargetID:	2
From Memory:	false
Current Path:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://ip-api.com

unknown

Details

Name:	http://ip-api.com
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Source:	z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.apexrnun.com

185.196.9.150

Details

Name:	mail.apexrnun.com
IP:	185.196.9.150
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

185.196.9.150

mail.apexrnun.com

Switzerland

Details

IP:	185.196.9.150
TargetID:	2
Current Path:	C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
Country:	Switzerland
Countrycode:	CHE
ASN number:	42624
ASN name:	SIMPLECARRIERCH
Private:	false
Domain:	mail.apexrnun.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z81zEuzkJPHHV3KYua_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2E2D000

trusted library allocation

page read and write

3999000

trusted library allocation

page read and write

2E01000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

2E51000

trusted library allocation

page read and write

8A1F000

stack

page read and write

FAE000

heap

page read and write

51BE000

trusted library allocation

page read and write

101D000

heap

page read and write

5459000

trusted library allocation

page read and write

5920000

trusted library allocation

page read and write

12A0000

trusted library allocation

page read and write

4DD8000

trusted library allocation

page read and write

643E000

heap

page read and write

B6A000

stack

page read and write

2A0C000

trusted library allocation

page read and write

590000

unkown

page readonly

12A3000

trusted library allocation

page execute and read and write

CE1000

heap

page read and write

FC7000

heap

page read and write

53BD000

heap

page read and write

67DD000

stack

page read and write

2C7B000

trusted library allocation

page read and write

53A0000

heap

page read and write

C10000

heap

page read and write

4DEE000

trusted library allocation

page read and write

51A0000

trusted library allocation

page read and write

4E40000

trusted library allocation

page read and write

6EEF000

stack

page read and write

53FE000

stack

page read and write

2B85000

trusted library allocation

page execute and read and write

273E000

stack

page read and write

12AD000

trusted library allocation

page execute and read and write

BE3000

trusted library allocation

page execute and read and write

C62000

trusted library allocation

page read and write

2780000

heap

page execute and read and write

BC0000

trusted library allocation

page read and write

7120000

trusted library allocation

page execute and read and write

592D000

trusted library allocation

page read and write

879F000

stack

page read and write

CAA000

heap

page read and write

4E30000

trusted library allocation

page read and write

C6B000

trusted library allocation

page execute and read and write

692D000

stack

page read and write

8DDC000

stack

page read and write

539E000

stack

page read and write

2B8B000

trusted library allocation

page execute and read and write

4DFD000

trusted library allocation

page read and write

2B87000

trusted library allocation

page execute and read and write

4EB2000

trusted library allocation

page read and write

2CB4000

trusted library allocation

page read and write

52B0000

trusted library allocation

page read and write

12B0000

trusted library allocation

page read and write

7E7000

stack

page read and write

2B82000

trusted library allocation

page read and write

43E000

remote allocation

page execute and read and write

6930000

heap

page read and write

609E000

stack

page read and write

F60000

heap

page read and write

2BF0000

trusted library allocation

page execute and read and write

2C6C000

stack

page read and write

2BEE000

stack

page read and write

2C91000

trusted library allocation

page read and write

6EF0000

trusted library allocation

page read and write

298F000

stack

page read and write

3E3C000

trusted library allocation

page read and write

50E0000

heap

page read and write

5C6D000

stack

page read and write

BD0000

heap

page read and write

FBA000

heap

page read and write

B30000

heap

page read and write

2870000

trusted library allocation

page read and write

5450000

trusted library allocation

page read and write

6EA000

stack

page read and write

5910000

heap

page read and write

5370000

heap

page read and write

68DD000

stack

page read and write

648E000

heap

page read and write

6487000

heap

page read and write

C1A000

heap

page read and write

50F0000

trusted library allocation

page execute and read and write

2DD1000

trusted library allocation

page read and write

CDF000

heap

page read and write

69EE000

stack

page read and write

665E000

stack

page read and write

3DD1000

trusted library allocation

page read and write

53CB000

heap

page read and write

2C70000

trusted library allocation

page read and write

BE0000

heap

page read and write

529E000

stack

page read and write

6A47000

trusted library allocation

page read and write

891E000

stack

page read and write

530C000

stack

page read and write

BFD000

trusted library allocation

page execute and read and write

400000

remote allocation

page execute and read and write

6477000

heap

page read and write

BD0000

heap

page read and write

5460000

heap

page execute and read and write

8E00000

trusted library allocation

page read and write

68E7000

trusted library allocation

page read and write

5470000

heap

page read and write

4FC0000

heap

page read and write

4DD4000

trusted library allocation

page read and write

4EB0000

trusted library allocation

page read and write

12D0000

heap

page read and write

592000

unkown

page readonly

6DED000

stack

page read and write

2C9D000

trusted library allocation

page read and write

5C2E000

stack

page read and write

2C20000

heap

page execute and read and write

536E000

stack

page read and write

B7E000

stack

page read and write

2CC0000

heap

page read and write

2798000

trusted library allocation

page read and write

4EA0000

heap

page read and write

D42000

heap

page read and write

6F70000

heap

page read and write

2880000

heap

page read and write

1014000

heap

page read and write

C06000

trusted library allocation

page execute and read and write

BF5000

heap

page read and write

CBF000

heap

page read and write

FC5000

heap

page read and write

12A4000

trusted library allocation

page read and write

4F6D000

stack

page read and write

5373000

heap

page read and write

53B5000

heap

page read and write

641E000

stack

page read and write

C90000

trusted library allocation

page execute and read and write

669E000

stack

page read and write

679E000

stack

page read and write

51B0000

trusted library allocation

page read and write

53C6000

heap

page read and write

BE0000

trusted library allocation

page read and write

2DCE000

stack

page read and write

6F30000

heap

page read and write

6940000

trusted library allocation

page execute and read and write

8CDC000

stack

page read and write

4A8C000

stack

page read and write

6468000

heap

page read and write

BF3000

trusted library allocation

page read and write

4E02000

trusted library allocation

page read and write

60DE000

stack

page read and write

2C96000

trusted library allocation

page read and write

EF8000

stack

page read and write

2A0E000

trusted library allocation

page read and write

53CD000

heap

page read and write

54DB000

stack

page read and write

4E20000

trusted library allocation

page read and write

1054000

heap

page read and write

631E000

unkown

page read and write

8B5E000

stack

page read and write

12C2000

trusted library allocation

page read and write

12CA000

trusted library allocation

page execute and read and write

68E0000

trusted library allocation

page read and write

2C00000

trusted library allocation

page read and write

7FB20000

trusted library allocation

page execute and read and write

8C9E000

stack

page read and write

2CB0000

trusted library allocation

page read and write

F80000

trusted library allocation

page read and write

53D0000

heap

page read and write

4E10000

trusted library allocation

page read and write

D65000

heap

page read and write

557E000

stack

page read and write

2E60000

trusted library allocation

page read and write

2C7E000

trusted library allocation

page read and write

6A40000

trusted library allocation

page read and write

655E000

stack

page read and write

2C10000

trusted library allocation

page read and write

5500000

trusted library allocation

page execute and read and write

4DF1000

trusted library allocation

page read and write

855E000

stack

page read and write

CAE000

heap

page read and write

4FB0000

trusted library section

page read and write

2B80000

trusted library allocation

page read and write

2C8A000

trusted library allocation

page read and write

C67000

trusted library allocation

page execute and read and write

4E35000

trusted library allocation

page read and write

5CBE000

stack

page read and write

B90000

heap

page read and write

F90000

heap

page read and write

277E000

stack

page read and write

869E000

stack

page read and write

54E0000

trusted library allocation

page execute and read and write

102E000

heap

page read and write

53BE000

stack

page read and write

2E3F000

trusted library allocation

page read and write

4EC0000

trusted library allocation

page execute and read and write

3991000

trusted library allocation

page read and write

8A5E000

stack

page read and write

5F20000

trusted library section

page read and write

12C0000

trusted library allocation

page read and write

4F90000

trusted library allocation

page read and write

C00000

trusted library allocation

page read and write

58AE000

stack

page read and write

4FC3000

heap

page read and write

2E2B000

trusted library allocation

page read and write

12C6000

trusted library allocation

page execute and read and write

BF0000

heap

page read and write

4DF6000

trusted library allocation

page read and write

5110000

heap

page execute and read and write

5100000

trusted library allocation

page read and write

E9F000

stack

page read and write

2A03000

trusted library allocation

page read and write

2E59000

trusted library allocation

page read and write

F98000

heap

page read and write

2BA0000

trusted library allocation

page read and write

64E000

unkown

page readonly

6420000

heap

page read and write

3DF9000

trusted library allocation

page read and write

2C8E000

trusted library allocation

page read and write

F67000

heap

page read and write

2991000

trusted library allocation

page read and write

C0A000

trusted library allocation

page execute and read and write

1060000

heap

page read and write

6A30000

trusted library allocation

page read and write

57AC000

stack

page read and write

4E2F000

trusted library allocation

page read and write

8B9E000

stack

page read and write

CC7000

heap

page read and write

286B000

stack

page read and write

C80000

trusted library allocation

page read and write

5CE0000

heap

page read and write

C5E000

stack

page read and write

5FDE000

stack

page read and write

4DDB000

trusted library allocation

page read and write

4F70000

trusted library allocation

page read and write

BE4000

trusted library allocation

page read and write

8DE0000

heap

page read and write

2C82000

trusted library allocation

page read and write

BF0000

trusted library allocation

page read and write

865E000

stack

page read and write

4E60000

trusted library allocation

page read and write

4DD0000

trusted library allocation

page read and write

12BD000

trusted library allocation

page execute and read and write

A50000

heap

page read and write

2E4D000

trusted library allocation

page read and write

6F00000

trusted library allocation

page read and write

CA0000

heap

page read and write

BED000

trusted library allocation

page execute and read and write

6950000

trusted library allocation

page execute and read and write

There are 231 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
z81zEuzkJPHHV3KYua.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportz81zEuzkJPHHV3KYua.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
z81zEuzkJPHHV3KYua.exe