Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

MV Nicos Tomasos Vessel Parts.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.202812833451401
Filename:	MV Nicos Tomasos Vessel Parts.exe
Filesize:	591360
MD5:	83050104bb90edac542d79e85804c457
SHA1:	da8f36787211711c57a9d2cee3866f4cc8e77173
SHA256:	4dcd586650a966fdcfd3259fbc5a7cc291bc6bfa86300975eba687dead7cdbf3
SHA512:	e2faed6275bfaa0c2162b9284b7353f79206d8ecd1f3504dbdc1bb4099dba66b9df94aa718a52e41a99c05d1ee4581db9b19be934fae9d6e0e14bb03d5f8ed88
SSDEEP:	12288:ZbRKjP7ne23gAcdtfD1hUK/IBW+hb9LinPXPgm:DKjP7e23gAcvfD1gW+Vy
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary	Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp Security Software Discovery
Checks if the current process is being debugged	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
One or more processes crash	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV Nicos Tomasos Vessel Parts.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV Nicos Tomasos Vessel Parts.exe.log
Category:	dropped
Dump:	MV Nicos Tomasos Vessel Parts.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.349842958726647
Encrypted:	false
Ssdeep:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
Size:	706
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MV Nicos Tomasos_b692d4534bd2b1b9e5532da6cfaa5e4d81bb2595_a4498119_50bfddeb-fee5-46c2-9160-f42a9ccc2a6d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MV Nicos Tomasos_b692d4534bd2b1b9e5532da6cfaa5e4d81bb2595_a4498119_50bfddeb-fee5-46c2-9160-f42a9ccc2a6d\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.1019135460272063
Encrypted:	false
Ssdeep:	192:1QWDDX0T0BU/6aice36izuiF8Z24IO86:XDDX0ABU/6ajVizuiF8Y4IO86
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F42.tmp.dmp

Mini DuMP crash report, 15 streams, Thu Jan 16 01:35:17 2025, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F42.tmp.dmp
Category:	dropped
Dump:	WER4F42.tmp.dmp.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Thu Jan 16 01:35:17 2025, 0x1205a4 type
Entropy:	3.7985620357010896
Encrypted:	false
Ssdeep:	3072:qnY2YS4uEqVLTgL0yJUDJQ4CGofzLW0f:qnjYS4MTgL0yJUDJ37ezX
Size:	263696
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER50BA.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER50BA.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER50BA.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7220556844265995
Encrypted:	false
Ssdeep:	96:RSIU6o7wVetb1EE6akYy/4xuQE/8085aM4UG89bYHsfz9om:R6l7wVeJeE6akYi400prG89bYHsfz9om
Size:	6396
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER50DA.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER50DA.tmp.xml
Category:	dropped
Dump:	WER50DA.tmp.xml.4.dr
ID:	dr_5
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.502314883366749
Encrypted:	false
Ssdeep:	48:cvIwWl8zs/Jg77aI983WpW8VYdYm8M4JpjFio+q8E/GPr4d:uIjfhI7yG7VFJBGPr4d
Size:	4754
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.4657343715061
Encrypted:	false
Ssdeep:	6144:iIXfpi67eLPU9skLmb0b4vWSPKaJG8nAgejZMMhA2gX4WABl0uNldwBCswSbP:HXD94vWlLZMM6YFH/+P
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe

"C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6784
Target ID:	0
Parent PID:	2580
Name:	MV Nicos Tomasos Vessel Parts.exe
Path:	C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
Commandline:	"C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe"
Size:	591360
MD5:	83050104BB90EDAC542D79E85804C457
Time:	20:35:04
Date:	15/01/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x190000
Modulesize:	614400
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe

"C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6848
Target ID:	1
Parent PID:	6784
Name:	MV Nicos Tomasos Vessel Parts.exe
Path:	C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
Commandline:	"C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe"
Size:	591360
MD5:	83050104BB90EDAC542D79E85804C457
Time:	20:35:04
Date:	15/01/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xeb0000
Modulesize:	614400
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1488

Details

Is windows:	true
Is dropped:	false
PID:	3260
Target ID:	4
Parent PID:	6848
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1488
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	20:35:17
Date:	15/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown

http://checkip.dyndns.org

unknown

Details

Name:	http://checkip.dyndns.org
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
Source:	MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.0000000003231000.00000004.00000800.00020000.00000000.sdmp, MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.00000000032F4000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://checkip.dyndns.org/

193.122.6.168

Details

Name:	http://checkip.dyndns.org/
IP:	193.122.6.168
TargetID:	1
From Memory:	false
Current Path:	C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://checkip.dyndns.com

unknown

Details

Name:	http://checkip.dyndns.com
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
Source:	MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.00000000032F4000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
Source:	MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.0000000003231000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://checkip.dyndns.org/q

unknown

Details

Name:	http://checkip.dyndns.org/q
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
Source:	MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://reallyfreegeoip.org/xml/

unknown

Details

Name:	https://reallyfreegeoip.org/xml/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
Source:	MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

checkip.dyndns.com

193.122.6.168

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

193.122.6.168

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MV Nicos Tomasos Vessel Parts_RASMANCS

FileDirectory

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

ProgramId

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

FileId

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

LowerCaseLongPath

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

LongPathHash

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

Name

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

OriginalFileName

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

Publisher

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

Version

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

BinFileVersion

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

BinaryType

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

ProductName

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

ProductVersion

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

LinkDate

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

BinProductVersion

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

AppxPackageFullName

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

AppxPackageRelativeId

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

Size

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

Language

\REGISTRY\A\{1be27620-887f-39fc-9395-778e50f30d08}\Root\InventoryApplicationFile\mv nicos tomasos|4277eda7dd2b1cbb

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

There are 26 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3231000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

36B6000

trusted library allocation

page read and write

1760000

trusted library allocation

page read and write

2611000

trusted library allocation

page read and write

18AF000

stack

page read and write

A2A000

trusted library allocation

page execute and read and write

192000

unkown

page readonly

3064000

trusted library allocation

page read and write

B80000

trusted library allocation

page read and write

1790000

trusted library allocation

page execute and read and write

17A0000

heap

page read and write

53CE000

stack

page read and write

4E10000

heap

page execute and read and write

3B7000

stack

page read and write

190000

unkown

page readonly

C65000

trusted library allocation

page read and write

3080000

heap

page execute and read and write

3050000

trusted library allocation

page read and write

870000

heap

page read and write

173B000

trusted library allocation

page execute and read and write

A03000

trusted library allocation

page execute and read and write

4BC0000

trusted library section

page read and write

1770000

heap

page read and write

A0D000

trusted library allocation

page execute and read and write

81A000

heap

page read and write

A26000

trusted library allocation

page execute and read and write

1740000

heap

page read and write

C50000

trusted library allocation

page read and write

6D5000

heap

page read and write

172A000

trusted library allocation

page execute and read and write

674F000

stack

page read and write

1737000

trusted library allocation

page execute and read and write

1720000

trusted library allocation

page read and write

C70000

heap

page read and write

5BAE000

stack

page read and write

664F000

stack

page read and write

4C4E000

trusted library allocation

page read and write

4259000

trusted library allocation

page read and write

C60000

trusted library allocation

page read and write

14F6000

heap

page read and write

4C65000

trusted library allocation

page read and write

16BE000

stack

page read and write

32F0000

trusted library allocation

page read and write

310D000

stack

page read and write

4C51000

trusted library allocation

page read and write

5745000

trusted library allocation

page read and write

1340000

heap

page read and write

4CC0000

trusted library section

page read and write

A04000

trusted library allocation

page read and write

4CB0000

trusted library allocation

page read and write

1710000

trusted library allocation

page read and write

2600000

heap

page read and write

7B0000

heap

page read and write

470D000

stack

page read and write

14B0000

heap

page read and write

2BB000

stack

page read and write

505E000

stack

page read and write

3060000

trusted library allocation

page read and write

14AE000

stack

page read and write

5980000

heap

page read and write

58F0000

heap

page read and write

322F000

stack

page read and write

7F0000

heap

page read and write

A3B000

trusted library allocation

page execute and read and write

57BD000

stack

page read and write

400000

remote allocation

page execute and read and write

36B4000

trusted library allocation

page read and write

C47000

trusted library allocation

page read and write

1350000

heap

page read and write

535E000

stack

page read and write

4CB5000

trusted library allocation

page read and write

146E000

stack

page read and write

170D000

trusted library allocation

page execute and read and write

834000

heap

page read and write

3066000

trusted library allocation

page read and write

67E000

stack

page read and write

1703000

trusted library allocation

page execute and read and write

630000

heap

page read and write

4DFE000

stack

page read and write

FDB000

stack

page read and write

694E000

stack

page read and write

A50000

heap

page read and write

14C0000

heap

page read and write

32F4000

trusted library allocation

page read and write

C6D000

trusted library allocation

page read and write

30CE000

stack

page read and write

1726000

trusted library allocation

page execute and read and write

6D0000

heap

page read and write

1587000

heap

page read and write

85C000

heap

page read and write

6BE000

stack

page read and write

4C89000

trusted library allocation

page read and write

B5E000

stack

page read and write

B90000

heap

page execute and read and write

4C84000

trusted library allocation

page read and write

C68000

trusted library allocation

page read and write

5E1E000

stack

page read and write

1704000

trusted library allocation

page read and write

4C8E000

trusted library allocation

page read and write

7FE000

heap

page read and write

3070000

trusted library allocation

page read and write

C20000

trusted library allocation

page read and write

4C30000

trusted library allocation

page read and write

251E000

stack

page read and write

BDE000

stack

page read and write

525F000

stack

page read and write

515E000

stack

page read and write

B60000

trusted library allocation

page read and write

654F000

stack

page read and write

684E000

stack

page read and write

3611000

trusted library allocation

page read and write

7FA000

heap

page read and write

3120000

heap

page read and write

1732000

trusted library allocation

page read and write

4C10000

trusted library allocation

page read and write

5B6E000

stack

page read and write

4E9E000

stack

page read and write

4D0E000

stack

page read and write

5DDE000

stack

page read and write

C40000

trusted library allocation

page read and write

A14000

trusted library allocation

page read and write

4C20000

heap

page read and write

A00000

trusted library allocation

page read and write

4C32000

trusted library allocation

page read and write

A10000

trusted library allocation

page read and write

5CDF000

stack

page read and write

14DE000

heap

page read and write

A37000

trusted library allocation

page execute and read and write

5BD0000

heap

page execute and read and write

307B000

trusted library allocation

page read and write

4C80000

trusted library allocation

page read and write

1730000

trusted library allocation

page read and write

5E9E000

stack

page read and write

58CD000

stack

page read and write

14E9000

heap

page read and write

4237000

trusted library allocation

page read and write

4C56000

trusted library allocation

page read and write

5750000

trusted library allocation

page read and write

620000

heap

page read and write

85F000

heap

page read and write

1355000

heap

page read and write

12F7000

stack

page read and write

4C90000

trusted library allocation

page read and write

4C70000

trusted library allocation

page read and write

9EF000

stack

page read and write

C58000

trusted library allocation

page read and write

862000

heap

page read and write

16F0000

trusted library allocation

page read and write

4E5E000

stack

page read and write

14C8000

heap

page read and write

4C34000

trusted library allocation

page read and write

15B4000

heap

page read and write

C1E000

stack

page read and write

58E0000

heap

page read and write

5E5E000

stack

page read and write

4231000

trusted library allocation

page read and write

4C3B000

trusted library allocation

page read and write

9F0000

trusted library allocation

page read and write

4BBE000

stack

page read and write

3615000

trusted library allocation

page read and write

25FE000

stack

page read and write

B70000

trusted library allocation

page execute and read and write

There are 153 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
MV Nicos Tomasos Vessel Parts.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMV Nicos Tomasos Vessel Parts.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
MV Nicos Tomasos Vessel Parts.exe