Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

DJ5PhUwOsM.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.231286300665583
Filename:	DJ5PhUwOsM.exe
Filesize:	335872
MD5:	d61526463472da19dd8869f484a8f4ef
SHA1:	20514ac586fb6847057be18ecf00b84cda7e948f
SHA256:	65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
SHA512:	925089713ea4877de9300c0998eabcef4850af08ea6e7a12704e92736928461e54a8fa8cb56c3c910ca334e5395a5497f38715237970f4f70532a26405cd3fee
SSDEEP:	3072:7+2Lmlx1JlKiSBTxbBGiz64tlyz5X0JdYA4TQTnDrGdQo9bFxYo9OtVa2M:7+2Lmlx1JldSVxbBF643yOdxBDrGVbHR
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.qhR.qhR.qhR..wX.zhR..t\.phR..wV.shR..g..thR.qhS.nhR..wY.shR..nT.phR.RichqhR.........................PE..L...)..P...........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara signature match	System Summary
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
Contains functionality to load and extract PE file embedded resources	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary

C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe
Category:	dropped
Dump:	FB_7BD8.tmp.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\DJ5PhUwOsM.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	4.998082516808912
Encrypted:	false
Ssdeep:	3072:Z+2Lmlx1JlKiSBTxbBGiz64tlyz5X0JdYA4:Z+2Lmlx1JldSVxbBF643yOdx
Size:	240128
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Windows Management Instrumentation
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara detected Credential Stealer	Stealing of Sensitive Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Checks if Microsoft Office is installed	System Summary	System Information Discovery

C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe
Category:	dropped
Dump:	FB_7D21.tmp.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\DJ5PhUwOsM.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.066050319145751
Encrypted:	false
Ssdeep:	1536:mj2knMmhKdS08aK+rgYkdQOV9bFejQ4HyLPnqo9OMwPvyia:mQTnDrGdQo9bFxYo9OtVa
Size:	76800
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Protects its processes via BreakOnTermination flag	Operating System Destruction
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Yara detected Generic Downloader	Networking
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\DJ5PhUwOsM.exe

"C:\Users\user\Desktop\DJ5PhUwOsM.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6224
Target ID:	0
Parent PID:	1028
Name:	DJ5PhUwOsM.exe
Path:	C:\Users\user\Desktop\DJ5PhUwOsM.exe
Commandline:	"C:\Users\user\Desktop\DJ5PhUwOsM.exe"
Size:	335872
MD5:	D61526463472DA19DD8869F484A8F4EF
Time:	09:36:16
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram Recon	Language, Device and Operating System Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

"C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe"

Details

Is windows:	false
Is dropped:	true
PID:	6404
Target ID:	2
Parent PID:	6224
Name:	FB_7BD8.tmp.exe
Path:	C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe"
Size:	240128
MD5:	A21DF2C0CCA131EB534F520FD641ADB5
Time:	09:36:17
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x4d0000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe

"C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4444
Target ID:	3
Parent PID:	6224
Name:	FB_7D21.tmp.exe
Path:	C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe"
Size:	76800
MD5:	068C99328320CAAA7C5F2D31B0FF214B
Time:	09:36:17
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfa0000
Modulesize:	106496
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

89.40.31.232

Details

Name:	89.40.31.232
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\DJ5PhUwOsM.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

https://api.ipify.org/

104.26.13.205

Details

Name:	https://api.ipify.org/
IP:	104.26.13.205
TargetID:	2
From Memory:	false
Current Path:	C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

https://account.dyn.com/

unknown

https://api.telegram.org/bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB01AAE6F744B3247914%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20LYRNOABZ9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024

149.154.167.220

Details

Name:	https://api.telegram.org/bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB01AAE6F744B3247914%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20LYRNOABZ9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024
IP:	149.154.167.220
TargetID:	3
From Memory:	false
Current Path:	C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
IP address seen in connection with other malware	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org/t

unknown

Details

Name:	https://api.ipify.org/t
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe
Source:	FB_7BD8.tmp.exe, 00000002.00000002.4524594091.0000000002861000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.telegram.org/bot

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe
Source:	FB_7BD8.tmp.exe, 00000002.00000002.4524594091.0000000002861000.00000004.00000800.00020000.00000000.sdmp, FB_7D21.tmp.exe, 00000003.00000002.4524379102.0000000003341000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://microsoft.co

unknown

Details

Name:	http://microsoft.co
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe
Source:	FB_7D21.tmp.exe, 00000003.00000002.4527812703.000000001C1DB000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

89.40.31.232

unknown

Romania

Details

IP:	89.40.31.232
TargetID:	3
Current Path:	C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe
Country:	Romania
Countrycode:	ROU
ASN number:	35512
ASN name:	TELEMEDIA-ASRO
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

162.254.34.31

unknown

United States

Details

IP:	162.254.34.31
TargetID:	2
Current Path:	C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe
Country:	United States
Countrycode:	USA
ASN number:	64200
ASN name:	VIVIDHOSTINGUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	3
Current Path:	C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	2
Current Path:	C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager

PendingFileRenameOperations

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager

PendingFileRenameOperations

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager

PendingFileRenameOperations

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager

PendingFileRenameOperations

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FB_7BD8_RASMANCS

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FB_7D21_RASMANCS

FileDirectory

There are 23 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

404000

unkown

page readonly

FA2000

unkown

page readonly

28D9000

trusted library allocation

page read and write

404000

unkown

page readonly

3341000

trusted library allocation

page read and write

4D2000

unkown

page readonly

28B1000

trusted library allocation

page read and write

1C1DB000

heap

page read and write

645E000

stack

page read and write

495D000

stack

page read and write

78E000

heap

page read and write

1755000

heap

page read and write

CFE000

stack

page read and write

4CB6000

trusted library allocation

page read and write

1C00E000

stack

page read and write

1C136000

heap

page read and write

14A9000

heap

page read and write

7FF848FC0000

trusted library allocation

page execute and read and write

1409000

heap

page read and write

BF0000

heap

page read and write

4CC2000

trusted library allocation

page read and write

640000

heap

page read and write

E87000

heap

page read and write

3160000

heap

page execute and read and write

1BF0E000

stack

page read and write

1413000

heap

page read and write

E6E000

stack

page read and write

7FF848E24000

trusted library allocation

page read and write

1370000

heap

page read and write

910000

heap

page read and write

9C4000

heap

page read and write

635E000

stack

page read and write

1C15A000

heap

page read and write

4E6C000

stack

page read and write

2BDF000

stack

page read and write

7FF848E0D000

trusted library allocation

page execute and read and write

599000

stack

page read and write

1CF5C000

stack

page read and write

951000

heap

page read and write

6497000

trusted library allocation

page read and write

1B6CB000

heap

page read and write

13341000

trusted library allocation

page read and write

31E0000

heap

page execute and read and write

4CCE000

trusted library allocation

page read and write

5E0000

heap

page read and write

64F0000

trusted library allocation

page execute and read and write

7FF848E03000

trusted library allocation

page execute and read and write

2690000

trusted library allocation

page read and write

658E000

stack

page read and write

1CD5A000

stack

page read and write

1F0000

heap

page read and write

1BE04000

stack

page read and write

E07000

trusted library allocation

page execute and read and write

BE0000

trusted library allocation

page read and write

BDD000

trusted library allocation

page execute and read and write

7FF848E04000

trusted library allocation

page read and write

26B8000

trusted library allocation

page read and write

BC4000

trusted library allocation

page read and write

7FF848EBC000

trusted library allocation

page execute and read and write

E0B000

trusted library allocation

page execute and read and write

2D1C000

stack

page read and write

28AD000

trusted library allocation

page read and write

5F2F000

stack

page read and write

400000

unkown

page readonly

7FF848EB0000

trusted library allocation

page read and write

2750000

heap

page read and write

14A7000

heap

page read and write

4CBB000

trusted library allocation

page read and write

289F000

trusted library allocation

page read and write

FA0000

unkown

page readonly

1733000

heap

page read and write

21EE000

stack

page read and write

5BE000

stack

page read and write

1B8CD000

stack

page read and write

E20000

trusted library allocation

page read and write

BEA000

trusted library allocation

page execute and read and write

2670000

heap

page read and write

6960000

trusted library allocation

page read and write

E70000

trusted library allocation

page execute and read and write

4CE2000

trusted library allocation

page read and write

38C7000

trusted library allocation

page read and write

AF0000

heap

page read and write

3861000

trusted library allocation

page read and write

3230000

heap

page read and write

5430000

heap

page read and write

65D0000

trusted library allocation

page execute and read and write

E05000

trusted library allocation

page execute and read and write

953000

heap

page read and write

4CD1000

trusted library allocation

page read and write

4D30000

heap

page read and write

7FF848FB0000

trusted library allocation

page read and write

402000

unkown

page readonly

144C000

heap

page read and write

285E000

stack

page read and write

333E000

stack

page read and write

1452000

heap

page read and write

4D10000

heap

page execute and read and write

780000

heap

page read and write

7B0000

heap

page read and write

2A9F000

stack

page read and write

13B0000

heap

page read and write

5E0000

heap

page read and write

7FF848EE6000

trusted library allocation

page execute and read and write

938000

heap

page read and write

1C51B000

stack

page read and write

647D000

trusted library allocation

page read and write

61EE000

stack

page read and write

299E000

stack

page read and write

33C6000

trusted library allocation

page read and write

19A000

stack

page read and write

141F000

heap

page read and write

1340000

heap

page read and write

982000

heap

page read and write

1C1FF000

heap

page read and write

295F000

stack

page read and write

BD0000

trusted library allocation

page read and write

6310000

trusted library allocation

page read and write

4CB0000

trusted library allocation

page read and write

401000

unkown

page execute read

BE6000

trusted library allocation

page execute and read and write

7FF848FA2000

trusted library allocation

page read and write

4CA0000

trusted library allocation

page read and write

6480000

heap

page read and write

7FF848E2B000

trusted library allocation

page execute and read and write

13E0000

heap

page read and write

1C10E000

stack

page read and write

1D0DF000

stack

page read and write

285E000

stack

page read and write

7FF848E2D000

trusted library allocation

page execute and read and write

BB0000

trusted library allocation

page read and write

1421000

heap

page read and write

FB6000

unkown

page readonly

BE2000

trusted library allocation

page read and write

271E000

stack

page read and write

6950000

trusted library allocation

page read and write

3100000

heap

page read and write

530000

heap

page read and write

6319000

trusted library allocation

page read and write

4CCA000

trusted library allocation

page read and write

26A0000

heap

page execute and read and write

7FA00000

trusted library allocation

page execute and read and write

645000

heap

page read and write

A10000

heap

page read and write

65E0000

trusted library allocation

page read and write

5C4A000

heap

page read and write

1390000

heap

page read and write

6C30000

heap

page read and write

4CDD000

trusted library allocation

page read and write

7FF848E00000

trusted library allocation

page read and write

4E80000

heap

page read and write

97F000

stack

page read and write

7FF848FD0000

trusted library allocation

page execute and read and write

2230000

heap

page read and write

1C1D9000

heap

page read and write

1C1D7000

heap

page read and write

3889000

trusted library allocation

page read and write

542D000

stack

page read and write

13B5000

heap

page read and write

1750000

heap

page read and write

4CD6000

trusted library allocation

page read and write

4F8C000

stack

page read and write

1CE58000

stack

page read and write

7FF848E20000

trusted library allocation

page read and write

1C85E000

stack

page read and write

4CF0000

trusted library allocation

page read and write

21A0000

heap

page read and write

65E7000

trusted library allocation

page read and write

222E000

stack

page read and write

33A1000

trusted library allocation

page read and write

16AE000

stack

page read and write

9F8000

heap

page read and write

7FF848F20000

trusted library allocation

page execute and read and write

7FF848E13000

trusted library allocation

page read and write

1350000

heap

page read and write

62EE000

stack

page read and write

946000

heap

page read and write

281F000

stack

page read and write

1C310000

heap

page read and write

1730000

heap

page read and write

1BD05000

stack

page read and write

7E6000

heap

page read and write

1C110000

heap

page read and write

7FF474C90000

trusted library allocation

page execute and read and write

BC3000

trusted library allocation

page execute and read and write

4CBE000

trusted library allocation

page read and write

E02000

trusted library allocation

page read and write

B3E000

stack

page read and write

185C000

stack

page read and write

8F9000

stack

page read and write

FA0000

unkown

page readonly

5E5000

heap

page read and write

99C000

heap

page read and write

E80000

heap

page read and write

402000

unkown

page readonly

12F1000

stack

page read and write

6490000

trusted library allocation

page read and write

16F0000

trusted library allocation

page read and write

16C0000

trusted library allocation

page read and write

5C21000

heap

page read and write

14D5000

heap

page read and write

16E0000

trusted library allocation

page read and write

1C41E000

stack

page read and write

28EA000

trusted library allocation

page read and write

9B000

stack

page read and write

401000

unkown

page execute read

189E000

unkown

page read and write

5BF0000

heap

page read and write

BCD000

trusted library allocation

page execute and read and write

64DD000

stack

page read and write

78A000

heap

page read and write

1D4DC000

stack

page read and write

1D3DA000

stack

page read and write

7FF848EB6000

trusted library allocation

page read and write

2861000

trusted library allocation

page read and write

918000

heap

page read and write

BC0000

trusted library allocation

page read and write

13EC000

heap

page read and write

64E0000

trusted library allocation

page read and write

13FE000

heap

page read and write

6990000

heap

page read and write

4D00000

trusted library allocation

page read and write

1C162000

heap

page read and write

141D000

heap

page read and write

1C13C000

heap

page read and write

16F3000

trusted library allocation

page read and write

33A5000

trusted library allocation

page read and write

400000

unkown

page readonly

1D0E0000

heap

page read and write

7FF848FA0000

trusted library allocation

page read and write

6470000

trusted library allocation

page read and write

266C000

stack

page read and write

9F2000

heap

page read and write

7FF848EC0000

trusted library allocation

page execute and read and write

57E000

stack

page read and write

BF7000

heap

page read and write

2C1C000

stack

page read and write

7FF848E5C000

trusted library allocation

page execute and read and write

69A0000

trusted library allocation

page execute and read and write

4E83000

heap

page read and write

2896000

trusted library allocation

page read and write

1CC5F000

stack

page read and write

4D0000

unkown

page readonly

7FF848E1D000

trusted library allocation

page execute and read and write

2ADE000

stack

page read and write

74E000

stack

page read and write

7FF848E10000

trusted library allocation

page read and write

1B370000

trusted library allocation

page read and write

91E000

heap

page read and write

There are 238 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
DJ5PhUwOsM.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDJ5PhUwOsM.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
DJ5PhUwOsM.exe